Athena NGFW (Next-Generation Firewall)

Athena NGFW (previously known as Network Secure) provides comprehensive protection for every network perimeter, ensuring the safety of your valuable assets, data, and users from emerging threats.
{{ $t('productDocDetail.guideClickSwitch') }}
{{ $t('productDocDetail.know') }}
{{ $t('productDocDetail.dontRemind') }}
8.0.107
Athena NGFW (Next-Generation Firewall) {{ breadTitle }} User Manual System High Availability HA Modes Active/Standby Deployment Case
{{sendMatomoQuery("Athena NGFW (Next-Generation Firewall)","Active/Standby Deployment Case")}}

Active/Standby Deployment Case

{{ $t('productDocDetail.updateTime') }}: 2026-02-05

In the active/standby deployment, one device is active while the other is a hot standby. The two devices employ the heartbeat interface to detect each other's existence and synchronize settings and sessions. When the failure of the active device triggers a failover, business traffic is automatically directed to the standby device. Mechanisms such as session synchronization ensure the continuity and stability of the business traffic. The active/standby deployment supports the routing mode and the bridge mode (which includes the Layer 2 mode and the virtual wire mode).

Configuration Case

An enterprise plans to deploy two Athena NGFW devices to its VRRP-based LAN in the active/standby mode. The network topology is shown in the following figure.

Prerequisites

  1. Conditions for an HA deployment: The two devices must have the same software version, memory, interfaces, and licenses.
  1. Prepare the service interfaces (LAN and WAN), heartbeat interface, data synchronization interface, and IP addresses for the two devices in advance.
  2. Enable the Layer 2 mode and configure related security policies for the active device.
  3. Configure the standby device after configuring the active device.

Configuration Procedures

Step 1.Configure the heartbeat interface for the active device. Go to Network > Interfaces > Physical Interfaces to configure an IP address for the eth1 interface. In this case, the IP address is set to 11.1.1.1/24, as shown in the following figure.

Step 2.Enable the HA policy and select the Active/Standby mode for the active device. Go to System > High Availability and click Settings. On the HA Policy Settings page, check Enable for HA Policy, select Active/Standby as the Mode, select eth1 as the Control Link interface, and set the peer device's IP address to 11.1.1.2 (the data link is optional in the active/standby mode).

Step 3.Set the priority and virtual IP addresses for the active device. Set Priority to 100. On the Group 0 tab, click Add in the Virtual IP Addresses section. Select eth2 for Interface, and enter 10.2.1.3/24 in Virtual IPv4/Netmask. Then select eth3 for Interface, and enter 10.3.1.3/24 in Virtual IPv4/Netmask, as shown in the following figure.

Step 4.Configure interface monitoring for the active device. In the Monitored Object Management dialog box, select the Interface Monitoring tab and click Add. Select One fails for Failure Trigger, select Physical Interfaces for Interface, and select eth2 and eth3 as the service interfaces to monitor.

Step 5.Associate the monitored object with the active device. Select the link configured in the preceding step for Monitored Object, as shown in the following figure.

Step 6.Click Save to save the configuration.

Step 7.Configure the heartbeat interface for the standby device. Go to Network > Interfaces > Physical Interfaces to configure an IP address for the eth1 interface. In this case, the IP address is set to 11.1.1.2/24, as shown in the following figure.

Step 8.Enable the HA policy and select the Active/Standby mode for the standby device. Go to System > High Availability and click Settings. On the HA Policy Settings page, check Enable for HA Policy, select Active/Standby as the Mode, select eth1 as the Control Link interface, and set the peer device's IP address to 11.1.1.1 (the data link is optional in the active/standby mode).

Step 9.Set the priority and virtual IP addresses for the standby device. Set Priority to 99. On the Group 0 tab, click Add in the Virtual IP Addresses section. Select eth2 for Interface, and enter 10.2.1.3/24 in Virtual IPv4/Netmask. Then select eth3 for Interface, and enter 10.3.1.3/24 in Virtual IPv4/Netmask, as shown in the following figure.

Step 10.Configure interface monitoring for the standby device. In the Monitored Object Management dialog box, select the Interface Monitoring tab and click Add. Select One fails for Failure Trigger, select Physical Interfaces for Interface, and select eth2 and eth3 as the service interfaces to monitor.

Step 11.Associate the monitored object with the standby device. Select the link configured in the preceding step for Monitored Object, as shown in the following figure.

Step 12.Click Save to save the configuration.

Step 13.After configuring the active and standby devices in the active/standby mode, power on the active Athena NGFW device and enable its heartbeat interface and service interfaces. Then power on the standby Athena NGFW device and enable its heartbeat interface and service interfaces. You can go to System > High Availability to view the status of the two HA devices.