Home » High Availability Monitoring in Firewall Analyzer

High Availability Monitoring in Firewall Analyzer

Firewall Analyzer enables centralized monitoring and reporting for firewalls deployed in High Availability (HA) environments. By logically grouping redundant firewall devices, Firewall Analyzer ensures uninterrupted log collection and consistent reporting even during failover events.

What is High Availability in a Firewall context?

High Availability (HA) is a deployment model in which two or more firewall appliances operate as a redundant pair to eliminate single points of failure and maintain continuous network security.

A typical HA configuration consists of:

  • Primary (Active) Firewall
    The firewall currently processing network traffic and generating logs.
  • Secondary (Passive) Firewall
    A synchronized backup device that remains in standby mode and automatically takes over if the primary firewall becomes unavailable.

During a failover event caused by hardware failure, network interruption, or software issues, the secondary firewall seamlessly assumes the active role, ensuring minimal downtime and uninterrupted protection.

Note:

  • Firewall Analyzer processes syslog data using a single device license for HA monitoring. Since Active-Active deployments generate logs from multiple active devices simultaneously, they are not supported as a single HA entity. In such environments, each firewall must be added and licensed individually using separate device licenses.
  • Active—Passive HA pairs are supported in Firewall Analyzer, allowing both HA devices to be managed under a single license.

Prerequisites

  1. Both devices forming an HA pair must belong to the same firewall vendor.

  2. Before configuring High Availability, ensure that both firewalls are fully synchronized, including:

    • Device configurations
    • Security policies
    • Rulesets

    Any configuration mismatch may result in inconsistent monitoring behavior.

  3. If the HA pair operates using a shared virtual IP address, use each device’s unique Device ID instead of the IP address during HA configuration.

Internally, Firewall Analyzer maintains different device states. The Primary device remains in a Managed state, while the Secondary device is set to an Unmanaged state. Historical logs from secondary devices are not merged or consolidated with the primary device’s existing data.

Methods to configure High Availability

High Availability can be configured using either of the following methods:

  1. Configure HA with existing Devices — Map already discovered firewall devices as Primary and Secondary devices.
  2. Configure HA using Manual IP Mapping — Provide the IP addresses of the Primary and Secondary devices manually during configuration.

Note:

  • For Fortigate firewalls, if the primary and secondary devices share the same IP address, use their unique Device ID instead of the IP address when configuring High Availability.
  • Supported vendors for High Availability monitoring include FortiGate, Check Point, Cisco, Cisco Firepower, Palo Alto, Juniper SRX, NetScreen, WatchGuard, Hillstone, Forcepoint, MGuard, and more.

Steps to Import HA Devices

Before configuring HA, devices can be imported in bulk.

  1. Navigate to Settings.
  2. Go to Discovery → High Availability.
  3. Click Bulk Import HA Pairs (CSV).
    4. High Availability
  4. Upload the CSV file containing HA device details.
    5. High Availability
  5. Click Validate to import the device pairs.

Steps to Configure High Availability Monitoring

Configure High Availability using existing devices

Use this option when both firewall devices are already discovered or added in Firewall Analyzer.

  1. Navigate to Settings → Discovery → High Availability.
  2. Click Configure HA.
    3. High Availability
  3. In the Configure HA panel, under Primary Device, ensure Select Existing Device is chosen.
  4. Select the required firewall from the device drop-down list.
  5. Enter a Display Name for the HA pair. This name will be used as the logical identifier for the HA pair across all Firewall Analyzer pages.
  6. Under Secondary Device, select the corresponding firewall from the device drop-down list.
  7. Verify that both devices belong to the same vendor and represent the correct HA pair.
  8. Click Save.
    9. High Availability

Configure High Availability using Manual IP Address entry

Use this option when the firewall devices are not already added in Firewall Analyzer or when you want to configure the HA pair by directly specifying device IP addresses.

  1. Navigate to Settings → Discovery → High Availability.
  2. Click Configure HA.
  3. In the Configure HA panel, under Primary Device, click Enter Manually.
  4. Enter the Primary Device IP Address.
  5. Specify a Display Name for the HA pair. This name will be used to identify the HA pair across Firewall Analyzer.
  6. Under Secondary Device, click Enter Manually.
  7. Enter the Secondary Device IP Address.
  8. Verify the entered device details.
    9. High Availability
  9. Click Save.

After clicking Save:

  • The HA pair is created successfully.
  • The primary device becomes Managed, and the secondary device becomes Unmanaged.
  • All logs received from the secondary firewall are forwarded to and viewable from the primary device.
High Availability
Note:
  • The Display Name is used as the identifier for the HA pair across all Firewall Analyzer pages and reports.
  • Future syslog data received from the secondary device is mapped to the primary device.
  • If the secondary device was not previously added, incoming syslog data is mapped directly to the primary device, and the secondary device will not be created as a separate device entry.

Internally, Firewall Analyzer maintains the primary firewall as the monitored entity while transparently associating logs from the secondary firewall during failover.

Viewing reports for the Secondary (Unmanaged) device

After High Availability (HA) configuration is completed, the secondary device is moved to anUnmanaged state and its future syslog data is mapped to the primary device. However, the historical data collected before HA configuration is not merged with the primary device’s data.
To view reports generated from the secondary device’s historical data, navigate to theReports section and select the secondary device from the device selection list. This allows previously collected logs and reports for the secondary firewall to be accessed independently even after HA configuration.

How Firewall Analyzer monitors High Availability environments

Firewall Analyzer monitors High Availability (HA) deployments by logically grouping the primary and secondary firewalls into a single monitoring entity. Syslog data received from both devices is correlated and mapped under one unified firewall view, ensuring continuous monitoring even during failover events.

With HA monitoring enabled:

  • Logs from both primary and secondary devices are associated with a single firewall instance.
  • Log collection continues seamlessly during device failover.
  • Reports, alerts, and analytics remain unified without duplicate device entries.
  • Device visibility stays consistent regardless of which firewall is currently active.

This unified monitoring approach helps maintain uninterrupted security visibility while simplifying management of HA firewall deployments.

Frequently Asked Questions

What is the impact on Reports when we configure the HA settings ?

 
After configuring High Availability, the primary device is set to a Managed state while the secondary device becomes Unmanaged. All new syslogs received from both the primary and secondary devices are mapped to the primary device and are reflected in reports generated thereafter. However, the historical data of the secondary device is not merged with the primary device’s data. Reports for previously collected data from the secondary device can still be accessed and viewed separately.

Can HA be modified or removed after configuration?

 
Yes, the High Availability configuration can be modified or removed at any time. When an existing HA mapping is edited, the updated configuration becomes effective once the changes are saved. If the HA configuration is removed, the license status of the secondary device will not automatically revert to its previous state.

Can syslog data from Primary and Secondary devices be merged?

 
Historical syslog data from the secondary device cannot be merged with the primary device. After HA configuration, only the upcoming syslogs received from both the primary and secondary devices are mapped to the primary device for monitoring and reporting purposes, while previously collected data remains unchanged and separate.
A single platter for comprehensive Network Security Device Management
Quick LinksNetwork Bandwidth ReportsNetwork Security & Device MgmtLog ManagementCompliance &amp MSSP Features