Imperva Cyber Community

 View Only
  • 1.  What is different between IMPVHA High Availability On and Off?

    Posted 12-15-2021 00:19
    Dear all,

    I have some confusing about IMPVHA High Availability On and Off ?
    Could you explain it and which casse we should use?
    How do we configure it?

    Thank you.
    #On-PremisesWAF(formerlySecuresphere)

    ------------------------------
    Duc Dinh
    Product Consultant
    MTech
    ho chi minh
    ------------------------------


  • 2.  RE: What is different between IMPVHA High Availability On and Off?

    Imperva Employee
    Posted 12-16-2021 08:23
    IMVHA is Imperva proprietary HA algorithm. You can set it up in case you have 2 GW runing and you want to use them as Active-Passive modes.
    You van read more about it here https://docs.imperva.com/search?q=%20IMPVHA%20%E2%80%94%20Configuration%20

    ------------------------------
    Michael Sorin
    Software Engineer
    Tel Aviv CA
    ------------------------------



  • 3.  RE: What is different between IMPVHA High Availability On and Off?

    Posted 12-16-2021 21:27
    I am still confusing on this mode.
    - At the first time configure, I choose Bridge IMPVHA (Default, High Availability toggle - Off). At this stage, does this configuration complete?
    Follow this configuration: https://docs.imperva.com/bundle/v14.3-administration-guide/page/8568.htm
    To use redundant architect with STP, I need to use IMPVHA HA off or Bridge STP (STP on). Can we use it for RSTP? 
    In my opinion, we can use IMPVHA with HA off for Redundant Network of Switch, so we can use Imperva GWs for active-active (we can use many bridges and load sharing it to GWs)

    - If we configure "HA Toggle On" in impcfg, I am not clearly for this configuration.
    https://docs.imperva.com/bundle/v14.3-administration-guide/page/58962.htm
    - If we create a new group IMPVHA  "HA Fail Mode" in Setup -> Gateway (WebGUI), it will force 1 GW for Primary and 1 GW for Secondary.
    Please help to explain how GWs work when I enable HA toggle on and when I create group IMPVHA "HA Fail Mode". If we use active-standby, do we need configure "HA Toggle On" only? or we need to configure both of them? 


    ------------------------------
    Duc Dinh
    Product Consultant
    MTech
    ho chi minh
    ------------------------------



  • 4.  RE: What is different between IMPVHA High Availability On and Off?

    Imperva Employee
    Posted 12-17-2021 09:31
    Hi Duc,

    I think I might understand what is confusing you.

    Typically, IMPVHA is the recommend mode. (regardless if using HA or not) If you plan on running active/active, use IMPVHA with HA toggled OFF on both GWs.

    Why is IMPVHA the recommended mode? Because it has the most support for pass-through protocols. As an example, if you plan to leverage LACP / Port channeling, it only works in IMPVHA mode. This is why we typically recommend it as the default mode. 

    "I am still confusing on this mode.
    - At the first time configure, I choose Bridge IMPVHA (Default, High Availability toggle - Off). At this stage, does this configuration complete?"

    Yes; in this configuration STP will handle failover. 


    To use redundant architect with STP, I need to use IMPVHA HA off or Bridge STP (STP on).

    Correct.


    Can we use it for RSTP? 

    IMPVHA mode should be used with HA toggled OFF when using RSTP.


    Please help to explain how GWs work when I enable HA toggle on and when I create group IMPVHA "HA Fail Mode".

    IMPVHA with HA toggled ON is used only in an active/passive configuration. Only one unit is bridging at any given time. During normal operation, there will be master and a slave gateway. The master will bridge and the slave will block traffic. The slave will send probes out one of its interfaces at a rate of ten probes per second. As long as the master is functioning, the probes will loop around to the other interface on the slave. This tells the slave that everything is normal. When the slave stops receiving its own probe, it knows the master is no longer present and will take on the roll of master and will stop sending probes.

    The probe is an ethernet broadcast using ethernet protocol 0xad00.

    IMPVHA - HA Toggled ON
    IMPORTANT NOTE

    For IMPVHA (with HA toggled ON) to work correctly, there must be a loop in the network. In my experience, this only successfully works when the north/south side of each GW is connected to a switch. Additionally, for those ports on the switch which the GWs are connected - STP must be disabled on those ports.