Device HA (High Availability) in uOS 1.31
Zyxel Employee
Device HA ensures uninterrupted network connectivity by deploying two firewalls in an active-passive setup. If the active device fails or loses connectivity, the passive device takes over automatically to maintain network stability.
1. Requirements of Device HA
- Requires Same Model & Firmware: Both firewalls must be the same model and firmware version
- Single License Required: Only one firewall needs a security license, which gets transferred to the primary unit
- Heartbeat Connection: Uses the last Ethernet port (e.g., port 8 for 200H, port 12 for 500H/700H)
- Nebula Requirement: Both devices must be registered in the same Nebula organization
- Device HA is NOT supported on USG FLEX 100H or USG FLEX 50H
2. Heartbeat Connection & Failover Triggers
Heartbeat: The firewalls communicate via a heartbeat signal every 2 seconds using UDP port 694.
If the passive firewall misses 2 heartbeat signals, it assumes the active roleFailover occurs if:
- Active firewall monitored interface link down
- Active firewall monitored Connectivity Check failure
- Heartbeat timeout
- Firmware upgrade occurs
3. Configuration Synchronization
There are two types of synchronization in Device HA:
- Full Synchronization (Happens During Initial Pairing & Manual Sync)
Manual Full Sync: Run CLI command on active firewall
- Incremental Synchronization
Happens automatically when changes are made to the active firewallUpdates sync to the passive firewall within 5 seconds
Note: DO NOT manually configure the passive firewall! All changes must be made on the active device.
4. Avoiding Heartbeat Conflicts & Common Issues
What Happens If the Heartbeat Link is Disconnected?
- Both firewalls become active → Causes network conflicts
- After a conflict, the secondary will revert to passive state
5. Deploying Device HA: Step-by-Step Setup
Step 1: Prepare Your Devices
- Register both firewalls in the same Nebula organization
- Upgrade to the latest firmware version
- Remove any existing settings on the last Ethernet port (for heartbeat)
Step 2: Configure the Primary Firewall
- Enable Device HA
- Select Primary Role
- Set up Management IPs(Optional) Configure Monitored Interfaces for failover
Step 3: Configure the Secondary Firewall
- Enable Device HA
- Select Secondary Role
- Click Apply (management settings will auto-sync from primary)
Step 4: Connect Heartbeat Port
- Use direct cable connection for best performance
Step 5: Verify HA Status
Check logs for:
- "Paired Complete" and Active & Passive roles properly assigned
- In GUI Dashboard, active firewall is labeled "Active Node"
- Run CLI command for detailed sync status: show state vrf main device-ha debug sync-info
Categories
- All Categories
- 417 Beta Program
- 2.5K Nebula
- 160 Nebula Ideas
- 108 Nebula Status and Incidents
- 5.9K Security
- 331 USG FLEX H Series
- 286 Security Ideas
- 1.5K Switch
- 78 Switch Ideas
- 1.2K Wireless
- 42 Wireless Ideas
- 6.6K Consumer Product
- 259 Service & License
- 402 News and Release
- 86 Security Advisories
- 31 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.8K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 80 Security Highlight