HA Groups – Policy Settings Matrix

Gateways are not part of an HA group when Policy Rules, Interface Groups, or Approved/Blocked List were configured.

The primary's configuration will be applied to the HA pair. The secondary's old policies will not be used.

Policy Rules and Approved/Blocked list are configured for the HA pair, not for the primary or secondary.

If want to select Interface Groups in policy rules, select only one standalone gateway or one HA pair for that rule.

You can configure Interface Groups for gateways in an HA group.

Configure the Interface Group for the primary gateway and it will be used by the HA pair.

To do this, primary and secondary must have similar VLAN and VPN configurations.

Keep the following consideration in mind:

If the primary is registered while the secondary is unregistered and the primary's policy rules use Interface Groups that contain VLANs or VPNs, the those primary rules cannot be applied successfully to the secondary.

For this case, you should configure VLANs and VPNs for the secondary after it's registered, then perform policy deployment.

Policies are deployed to both gateways in an HA group.

Keep the following consideration in mind:

Policy deployment might be successful to one gateway but failed to another.

You can configure geolocations for policies used by the HA group.

Keep the following consideration in mind:

Certain policy rules with geolocations configured in policy rules might not work after failover in an HA group. This is because the gateways might have different versions of the location database.

After destruct of an HA group, both the primary and secondary will use the policies configured for the HA group.

Keep the following consideration in mind:

If the policy rule has configured interface groups, it will only be applied to the primary gateway.