Athena NGFW (Next-Generation Firewall)

Athena NGFW (previously known as Network Secure) provides comprehensive protection for every network perimeter, ensuring the safety of your valuable assets, data, and users from emerging threats.
{{ $t('productDocDetail.guideClickSwitch') }}
{{ $t('productDocDetail.know') }}
{{ $t('productDocDetail.dontRemind') }}
8.0.85
Athena NGFW (Next-Generation Firewall) {{ breadTitle }} User Manual System High Availability HA Modes Overview
{{sendMatomoQuery("Athena NGFW (Next-Generation Firewall)","Overview")}}

Overview

{{ $t('productDocDetail.updateTime') }}: 2026-01-06

Active/Standby Mode

In the active/standby mode, only the active device handles the business traffic. The active device assigns the virtual IP addresses for managing business traffic, while the standby device does not. When the active device fails, a failover is triggered. The new active device assigns the virtual IP addresses while the new standby device removes them to implement automatic failover.

In the active/standby mode, the active device works as the active controller to synchronize its settings to the standby device, and the standby device cannot modify the synchronized settings.

Active/Standby Mirror Mode

In active/standby mode, only the information of interfaces assigned virtual IP addresses is synchronized with the standby device. Their IP and MAC addresses are not synchronized for interfaces not assigned virtual IP addresses. However, in the active/standby mirror mode, Network Secure uses physical IP addresses instead of virtual ones. The information of all interfaces except for the out-of-band management, control link, and data link interfaces are synchronized to the standby device. The two devices mirror each other and even have identical MAC addresses.

Active/Active Layer 2 Mode

In the active/active Layer 2 mode, the two devices are deployed in the Layer 2 mode or the Layer 2 virtual wire mode. Both devices are active without the concepts of Group 0 and Group 1.

In this mode, if the upstream and downstream devices use aggregate interfaces, and the request and response packets are transmitted using different paths (asymmetric routing), you need to enable link aggregation to ensure normal traffic forwarding. When a packet passes through one of the Network Secure devices after link aggregation is enabled, the Network Secure device determines which Network Secure device should handle the packet by calculating the packet's hash value. If the hash values of a flow's request and response packets are identical, they are handled by the same Network Secure device. For packets that the peer Network Secure device should handle, the local Network Secure device sends them to the peer device through the data link.