Imperva Cyber Community

• The public IP addresses of both MX servers must be on the same subnet. If the servers are located at different sites, there must be a VLAN between the sites with the same subnet.
• The interconnected network must be defined during the first-time login procedure on the MX by setting up the LAN interfaces. If this was not done during the first-time login, the LAN interfaces can be configured now using impcfg.  Both interconnected interfaces must be on the same subnet.
• Alternatively, you can upload only the primary MX license, install MX-HA on the primary MX and install the secondary license (on the primary MX) at a later time. This alternative is not recommended, because it temporarily leaves the configuration without a license for the secondary MX, but it can be done.
• Heartbeat interface name = The interface which is the direct connection between the two MXs (There is no direct connection in my situation)
• Public interface name = The management interface name.

1. In an MX-HA deployment, the management interface (eth0) is the public interface, and the heartbeat interface (eth1) is Interconnect?
2. Also, in an MX-HA deployment, do all gateways register to the MX-HA's virtual IP, or does each gateway register to its own site's MX management IP?
3. Can you please tell me if the interfaces and IP addresses are set correctly for my lab example?
4. Heartbeat interface name = Eth1?
5. Public interface name = Eth0?
6. I also have a question related to licensing. After finishing initial configuration of the primary and secondary MX servers, on the primary MX server, should the license for both servers be uploaded from the web interface and then MX-HA procedure done, or after initial configuration, license must be uploaded during MX-HA process?

Here is my configuration:

MX1

MX2

MX-HA Configuration

[root@MX-01 mxha]# impctl server ha install
Enter the directory for temporary data [/var/tmp/secsph-ha]: 
Enter the keep alive IP address or hostname (pingable server): 172.25.92.1 (Mgmt Gateway IP)
Enter the secondary server public IP address: 172.25.92.102
Enter the virtual server IP address: 172.25.93.100  
Enter the heartbeat interface name [eth0 eth1 eth2 eth3]: eth1
Enter the public interface name [eth0 eth1 eth2 eth3]: eth0

1. In an MX-HA deployment, the management interface (eth0) is the public interface, and the heartbeat interface (eth1) is Interconnect? - YES (by default, but can be changed)
2. Also, in an MX-HA deployment, do all gateways register to the MX-HA's virtual IP or does each gateway register to its own site's MX management IP?  All GW to MX VIP.  In case you decide to have 2 separate MX then to its own MX management IP.
3. Can you please tell me if the interfaces and IP addresses are set correctly for my lab example?  No, heartbeat you can use it via VPN, management will not work via routing for MX VIP
4. Heartbeat interface name = Eth1?  yes
5. Public interface name = Eth0?  yes
6. I also have a question related to licensing. After finishing initial configuration of the primary and secondary MX servers, on the primary MX server, should the license for both servers be uploaded from the web interface and then MX-HA procedure done, or after initial configuration, license must be uploaded during MX-HA process?      You can configure both MX as standalone, install the license on each via GUI, or install primary only, then configure MX-HA, then add 2nd license when it is configured as MX-HA

• The public IP addresses of both MX servers must be on the same subnet. If the servers are located at different sites, there must be a VLAN between the sites with the same subnet.
• The interconnected network must be defined during the first-time login procedure on the MX by setting up the LAN interfaces. If this was not done during the first-time login, the LAN interfaces can be configured now using impcfg.  Both interconnected interfaces must be on the same subnet.
• Alternatively, you can upload only the primary MX license, install MX-HA on the primary MX and install the secondary license (on the primary MX) at a later time. This alternative is not recommended, because it temporarily leaves the configuration without a license for the secondary MX, but it can be done.
• Heartbeat interface name = The interface which is the direct connection between the two MXs (There is no direct connection in my situation)
• Public interface name = The management interface name.

1. In an MX-HA deployment, the management interface (eth0) is the public interface, and the heartbeat interface (eth1) is Interconnect?
2. Also, in an MX-HA deployment, do all gateways register to the MX-HA's virtual IP, or does each gateway register to its own site's MX management IP?
3. Can you please tell me if the interfaces and IP addresses are set correctly for my lab example?
4. Heartbeat interface name = Eth1?
5. Public interface name = Eth0?
6. I also have a question related to licensing. After finishing initial configuration of the primary and secondary MX servers, on the primary MX server, should the license for both servers be uploaded from the web interface and then MX-HA procedure done, or after initial configuration, license must be uploaded during MX-HA process?

Here is my configuration:

MX1

MX2

MX-HA Configuration

[root@MX-01 mxha]# impctl server ha install
Enter the directory for temporary data [/var/tmp/secsph-ha]: 
Enter the keep alive IP address or hostname (pingable server): 172.25.92.1 (Mgmt Gateway IP)
Enter the secondary server public IP address: 172.25.92.102
Enter the virtual server IP address: 172.25.93.100  
Enter the heartbeat interface name [eth0 eth1 eth2 eth3]: eth1
Enter the public interface name [eth0 eth1 eth2 eth3]: eth0