High availability for security gateways cannot rely on a single device at critical points in the forwarding path. A pair of firewalls operating in hot-standby eliminates single‑point failure by coordinating gateway redundancy, state synchronization, and failover control through VRRP, VGMP, and HRP.

Core questions addressed by the HA cluster

• Selecting the active and standby unit deterministically
• Detecting link/device failures rapidly
• Enforcing consistent switchover behavior across all relevant interfaces
• Steering traffic correctly in steady state and during faults
• Synchronizing configuration and runtime state so sessions survive a role change

VRRP: default gateway resilience

• VRRP provides a shared virtual gateway address between multiple routers/firewalls; one router is elected Master to answer ARP and forward traffic using the virtual IP.
• On firewalls, multiple VRRP groups are often deployed on both inside and outside interfaces. If each group operates independently, asymmetric states can appear (e.g., inside group Master, outside group Backup), breaking forwarding. A higher‑level controller is required to keep them aligned.

VGMP: group control for multiple VRRP instances

• VGMP (VRRP Group Management Protocol) is Huawei‑proprietary and binds multiple VRRP groups into one management domain so their states change in lockstep.
• Concept
  • All VRRP groups on the device are added to a VGMP group. The VGMP group monitors the member groups and enforces a unified state for the whole firewall.
  • If any member VRRP group state changes in a way that indicates a failure, VGMP triggers consistent state transitions across all VRRP groups, keeping inside/outside roles aligned.
• Operating principles
  • VGMP maintains two attributes: a role (Active/Standby) and a running prioirty.
  • The VGMP role dictates the device role and the state of all associated VRRP groups.
  • During negotiation over the heartbeat link, the device with the higher VGMP running priority becomes Active; the other becomes Standby.
  • VGMP dynamically adjusts its running priority based on VRRP health. For example, when a member VRRP group drops to Initialize, VGMP decrements its priority (e.g., by 2) to bias a failover.
  • The default VGMP running priority is high (e.g., 45000) before penalties.
• Message transport
  • Peer VGMPs exchange state/priority via VGMP messages on the heartbeat path.
  • If peers are L2-adjacent (direct cable or L2 switch), multicast frames without a UDP header are used.
  • If the path traverses L3, multicast may not pass; messages are sent unicast with a UDP header.

HRP: redundancy channel and state replication

• HRP (Huawei Redundancy Protocol) is a Huawei‑proprietary protocol that runs over the same heartbeat connectivity. It provides:
  • Role negotiation assistance in conjunction with VGMP
  • Configuration synchronization (as configured) from Active to Standby
  • Runtime state replication (e.g., sessions/NAT) so traffic continues across a role change

HRP synchronization modes

• Automatic configuration/state sync
  • Dual‑hot‑standby‑related configuraton is entered on the Active node and automatically propagated to the Stendby. Runtime state is replicated continuously. This is the common default (HRP auto sync).
• Manual bulk sync
  • A one‑time, operator‑triggered push copies configuration and state to the peer. Useful when devices were configured separately and need immediate alignment.
• Fast state‑only sync
  • Only dynamic state (sessions, translations, etc.) is synchronized. Required in certain load‑sharing designs where configuration differs but run‑state must converge quickly.

Lab setup

• Tools: eNSP
• Nodes: 1 PC, 1 edge router, 2 L3 switches, 2 Huawei USG6000V firewalls in an HA pair
• Addressing
  • Untrust (outside): 10.1.1.0/24, edge router = 10.1.1.1
  • Trust (inside): 192.168.10.0/24
  • VRRP virtuals: 10.1.1.254 (outside), 192.168.10.254 (inside)
  • Heartbeat: 172.16.1.0/30 between firewalls

Edge router configuration

[EDGE] display current-configuration
#
sysname EDGE
interface GigabitEthernet0/0/0
 ip address 10.1.1.1 255.255.255.0
#
interface LoopBack0
 ip address 203.0.113.1 255.255.255.255
#
# Default route for inside network via firewall virtual outside IP
ip route-static 192.168.10.0 255.255.255.0 10.1.1.254
#

Firewall base addressing

• Device names: FWA (intended Active), FWB (intended Standby)
• Interfaces
  • GE1/0/0 = outside (to EDGE)
  • GE1/0/1 = heartbeat
  • GE1/0/2 = inside (to LAN)

FWA

#
sysname FWA
#
interface GigabitEthernet1/0/0
 undo shutdown
 ip address 10.1.1.101 255.255.255.0
#
interface GigabitEthernet1/0/2
 undo shutdown
 ip address 192.168.10.101 255.255.255.0
#
interface GigabitEthernet1/0/1
 undo shutdown
 ip address 172.16.1.1 255.255.255.252
#

FWB

#
sysname FWB
#
interface GigabitEthernet1/0/0
 undo shutdown
 ip address 10.1.1.102 255.255.255.0
#
interface GigabitEthernet1/0/2
 undo shutdown
 ip address 192.168.10.102 255.255.255.0
#
interface GigabitEthernet1/0/1
 undo shutdown
 ip address 172.16.1.2 255.255.255.252
#

Security zones and policies

# FWA zones
[FWA] firewall zone trust
[FWA-zone-trust] add interface GigabitEthernet1/0/2
[FWA-zone-trust] quit
[FWA] firewall zone untrust
[FWA-zone-untrust] add interface GigabitEthernet1/0/0
[FWA-zone-untrust] quit
[FWA] firewall zone dmz
[FWA-zone-dmz] add interface GigabitEthernet1/0/1
[FWA-zone-dmz] quit

# FWB zones
[FWB] firewall zone trust
[FWB-zone-trust] add interface GigabitEthernet1/0/2
[FWB-zone-trust] quit
[FWB] firewall zone untrust
[FWB-zone-untrust] add interface GigabitEthernet1/0/0
[FWB-zone-untrust] quit
[FWB] firewall zone dmz
[FWB-zone-dmz] add interface GigabitEthernet1/0/1
[FWB-zone-dmz] quit

# Permit heartbeat (local/dmz control plane)
[FWA] security-policy
[FWA-policy-security] rule name allow_hb
[FWA-policy-security-rule-allow_hb] source-zone local
[FWA-policy-security-rule-allow_hb] destination-zone dmz
[FWA-policy-security-rule-allow_hb] action permit
[FWA-policy-security-rule-allow_hb] quit

[FWB] security-policy
[FWB-policy-security] rule name allow_hb
[FWB-policy-security-rule-allow_hb] source-zone local
[FWB-policy-security-rule-allow_hb] destination-zone dmz
[FWB-policy-security-rule-allow_hb] action permit
[FWB-policy-security-rule-allow_hb] quit

# Trust to Untrust traffic policy
[FWA-policy-security] rule name trust_to_untrust
[FWA-policy-security-rule-trust_to_untrust] source-zone trust
[FWA-policy-security-rule-trust_to_untrust] destination-zone untrust
[FWA-policy-security-rule-trust_to_untrust] action permit
[FWA-policy-security-rule-trust_to_untrust] quit

[FWB-policy-security] rule name trust_to_untrust
[FWB-policy-security-rule-trust_to_untrust] source-zone trust
[FWB-policy-security-rule-trust_to_untrust] destination-zone untrust
[FWB-policy-security-rule-trust_to_untrust] action permit
[FWB-policy-security-rule-trust_to_untrust] quit

Static routing

[FWA] ip route-static 0.0.0.0 0.0.0.0 10.1.1.1
[FWB] ip route-static 0.0.0.0 0.0.0.0 10.1.1.1

VRRP configuration (inside and outside), aligned by VGMP

• Two VRRP groups, one per security zone interface
• Virtual IPs: 192.168.10.254 (inside), 10.1.1.254 (outside)
• Explicit priorities used instead of the active keyword to illustrate deterministic election and preemption

FWA

# Inside VRRP (VRID 10)
[FWA] interface GigabitEthernet1/0/2
[FWA-GigabitEthernet1/0/2] vrrp vrid 10 virtual-ip 192.168.10.254
[FWA-GigabitEthernet1/0/2] vrrp vrid 10 priority 120
[FWA-GigabitEthernet1/0/2] vrrp vrid 10 preempt-mode enable
[FWA-GigabitEthernet1/0/2] quit

# Outside VRRP (VRID 20)
[FWA] interface GigabitEthernet1/0/0
[FWA-GigabitEthernet1/0/0] vrrp vrid 20 virtual-ip 10.1.1.254
[FWA-GigabitEthernet1/0/0] vrrp vrid 20 priority 120
[FWA-GigabitEthernet1/0/0] vrrp vrid 20 preempt-mode enable
[FWA-GigabitEthernet1/0/0] quit

FWB

# Inside VRRP (VRID 10)
[FWB] interface GigabitEthernet1/0/2
[FWB-GigabitEthernet1/0/2] vrrp vrid 10 virtual-ip 192.168.10.254
[FWB-GigabitEthernet1/0/2] vrrp vrid 10 priority 110
[FWB-GigabitEthernet1/0/2] vrrp vrid 10 preempt-mode enable
[FWB-GigabitEthernet1/0/2] quit

# Outside VRRP (VRID 20)
[FWB] interface GigabitEthernet1/0/0
[FWB-GigabitEthernet1/0/0] vrrp vrid 20 virtual-ip 10.1.1.254
[FWB-GigabitEthernet1/0/0] vrrp vrid 20 priority 110
[FWB-GigabitEthernet1/0/0] vrrp vrid 20 preempt-mode enable
[FWB-GigabitEthernet1/0/0] quit

Heartbeat and HA enablement (HRP)

# Define heartbeat peers and enable HRP
[FWA] hrp interface GigabitEthernet1/0/1 remote 172.16.1.2
[FWA] hrp enable

[FWB] hrp interface GigabitEthernet1/0/1 remote 172.16.1.1
[FWB] hrp enable

Expected role outcome

• FWA becomes Active; FWB becomes Standby (VGMP coordinates all VRRP groups accordingly).
• Verify status:

[FWA] display hrp state
 Role: active, peer: standby
 Running priority: 45000, peer: 45000
 Backup channel usage: 0.00%
 Stable time: 0 days, 0 hours, 1 minutes
 Last state change: normal

[FWA] display hrp interface
 GigabitEthernet1/0/1 : running

Failure simulation and validation

1. Disable a link on the upstream switch to cause outside path failure

[DIST1] interface Ethernet0/0/1
[DIST1-Ethernet0/0/1] shutdown

2. Observe HA role change

[FWA] display hrp state
 Role: standby, peer: active
 Running priority: 44998, peer: 45000
 Last state change: abnormal(standby)

3. Restore the link and observe preemption back to FWA (due to VRRP preempt enabled)

[DIST1-Ethernet0/0/1] undo shutdown

[FWA] display hrp state
 Role: active, peer: standby
 Running priority: 45000, peer: 45000
 Last state change: normal

Notes

• Ensure the edge router’s default route for the inside network points to the outside VRRP virtual IP and that inside hosts use the inside VRRP virtual IP as their default gateway.
• When the heartbeat path is L3, confirm any device in-between permits the VGMP/HRP unicast UDP exchange.
• In load-sharing designs, enable fast state sync if configuration differs but session continuity is required across nodes.