The High Availability part allows to set a cluster between WAF to insure high availability of your applications. Few high availability modes are available :
The Active/Active mode allows to spread a tunnel traffic over different WAF of a cluster. If a WAF is no more available, traffic will continue on the other WAF tunnels.
A traffic initiated by a client will always go through the same tunnel of the same WAF to keep essential information, like authentication sessions. The load balancing is done by a keepalived service.
A HA Active/Active cluster must have at least one virtual address IP and two VRRP members attached to this IP.
The Active/Passive mode allows a tunnel redundancy on different WAF of a cluster. One member is active at a time. In case of failure of the primary tunnel, the traffic will be redirected to the secondary tunnel (failover). If the primary tunnel is up again, the traffic will be redirected on this one.
A HA Active/Passive cluster must have at least one virtual address IP and two VRRP members attached to this IP.
A VRRP cluster is a virtual entity which is defined mainly through the use of a Cluster ID (or VRID), a unique digital identifier between 1 and 254. The members of the VRRP cluster communicate using this Cluster ID via multicast packets. The cluster has virtual IP (VIP) addresses, that is, addresses that are created/deleted in response to events in the cluster.
At a given moment, only a single member has (a) listening VIP address(es). In case of failure of the member with VIP(s), another member takes over and creates the VIP address(es) so that the service can continue to operate.
The operation of VRRP is based on regularly sending multicast packets by the MASTER member, with failover when the BACKUP members are no longer receiving the multicast packets (a sign that there is probably a problem on the MASTER). Other conditions and tests can be added to determine if failover is necessary. That is the role of the different "...Tracking" options for the VRRP cluster and the Tracked devices and Tracked metrics settings of the VRRP Members.
The Cluster ID must be unique on the network. Assigning an existing Cluster ID will result in unpredictable behavior of your VRRP cluster. The main symptoms are an absence of failover after a failed availability test and unavailability of the VIP. If no value is entered for the Cluster ID, the first available value in increasing order is assigned to it, starting with ID 176 (included).
Failure of an availability test will trigger a failover. The members of the cluster will designate the member that will re-establish the VIP(s).
The drop-down menu presents a list of clusters. Selecting a cluster accesses its configuration: