Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] How to configure Active/Passive High Availability (NSRP)



Article ID: KB6015 KB Last Updated: 14 Sep 2020Version: 12.0

Minimum NSRP configuration for a pair of Juniper ScreenOS firewall devices


How do I configure a pair of Juniper ScreenOS firewall's for Active/Passive High Availability (NSRP)? 
What are the minimum NSRP commands required?

The basic configuration steps for the following topology are documented in this solution.

Minimum software and hardware requirements for configuring Active/ Passive NSRP:
  • Firewall's with identical ScreenOS versions and license keys
  • Firewall's with identical hardware
  • At least one interface on each firewall to be configured in the HA zone, which will be used for carrying control channel information

For more information on the software and hardware requirements for NSRP, refer to KB11432.


For assistance with configuring a pair of firewalls for NSRP, follow the steps below.  

These instructions were performed on a SSG-500.  The same concept applies to the other models that support NSRP; the difference being the interface notation or dedicated HA port. 

  1. Perform basic configuration on Firewall-A.  Bind the interfaces to the zones desired, and configure an IP address on the interfaces.  

    set interface ethernet0/3 zone untrust
    set interface ethernet0/1 zone trust
    set interface ethernet0/3 ip
    set interface ethernet0/1 ip

    You may also configure policies, VPNs, etc, and get the firewall working as designed.   Then proceed to the next step when ready to configure NSRP.


    It is also possible to do minimal configuration as above and proceed onto the next step to configure NSRP.  Then once the Active/Passive pair is configured for NSRP, subsequent configuration commands (policies, VPNs, etc) will be automatically sync'd to the other firewall.

  2. Start configuring NSRP by choosing the interface(s) for HA. In our example, it is eth0/4. For more information on assigning the HA ports, refer to KB11296.

    set interface ethernet0/4 zone HA
  3. Configure the NSRP cluster id:

    set nsrp cluster id 1

    Both firewalls in the cluster must have the same Cluster ID number.

    IMPORTANT: Other NSRP firewall pairs on the same segment must have a different set of cluster IDs. Once the cluster ID is set to a value, all the security interfaces will become part of the VSD-group 0, by default.

  4. [Optional]  Configure cluster name for NSRP:

    Each NSRP cluster member can have different host names. In situations with SNMP or IPSec configured, a failover of the NSRP device can mean a disruption in communication for SNMP or IPSec. Defining a single name for all cluster members allows SNMP communication and digital certificates use to be continued without interruption after failover.

    To define a single name for all cluster members, type the following CLI command:

    set nsrp cluster name <name_str>

    Use the cluster name when configuring the SNMP host name for the Juniper firewall device (set snmp name name_str) and when defining the common name in a PKCS10 certificate request file. 

    Note:  Only one digital certificate is required for an NSRP cluster.

  5. [Recommended]  Configure NSRP monitoring to trigger failover if an interface goes down.

    set nsrp monitor interface eth0/1
    set nsrp monitor interface eth0/3

    By adding the monitor command we will monitor the physical state of the interface eth0/1 and eth0/3.  In the event that either one of the interfaces goes down, Firewall-A will initiate a fail over to Firewall-B, and Firewall-B will continue to pass traffic. 

    Note Only specify the interfaces that have an active link.  Otherwise, the firewall will go to the (I) Inoperable state; for more information, see KB11327.

  6. Configure NTP command, if applicable.  Are your firewalls configured with an NTP (Network Time Protocol) server?

    No   - Continue with Step 7.

    Yes - Enter the command:  set ntp no-ha-sync

    For more information on disabling NTP for HA configurations, see KB7009.  Then continue to Step 7.

  7.  Repeat steps 2 - 6 for Firewall-B.

  8. Synchronize the configurations from the Backup firewall.  On Firewall-B, enter the following CLI command:

    firewall-B(B)-> exec nsrp sync global-config save

    The following will be reported shortly after you enter the above command:

    load peer system config to save
    firewall-B(B)-> Save global configuration successfully.
    firewall-B(B)-> Save local configuration successfully.
    firewall-B(B)-> Done.
    firewall-B(B)-> Please reset your box to let cluster configuration to take effect!

    For more information on synchronizing the configurations, refer to KB6351.

  9. Reset Firewall-B.

    IMPORTANT:  If you are prompted to save the configuration after you enter the reset command, answer n (No).  Then, proceed with the reboot by answering y (Yes).

    firewall-B(B)-> reset
    firewall-B(B)-> Configuration modified.  Save? [y]/n n
    firewall-B(B)-> System reset.  Are you sure? y/[n] y
  10. After the boxes have rebooted, synchronize the RTOs (Run-Time Objects):

    firewall-A(M)-> set nsrp rto-mirror sync

    After entering the "rto-mirror" sync, the Primary and backup firewall's will start to synchronize the real time sessions informations.  On the primary device, the console will have the following:

    firewall-A(M)-> Begin to sync all run-time-object to peer ...Done

    On the backup device, the console will have the following:

    firewall-B(B)-> configuration in sync (local checksum 1545829970 == remote checksum 145829970)
    Received all run-time-object from peer.

    Note:  Steps 11 and 12 can be performed before step 7, however, for simplicity, they are performed at this point.

  11. [Recommended]  Configure priority and preempt for selecting which device in the cluster should be the preferred master:

    The firewall with the lowest priority will be the primary. By default the ScreenOS sets the priority to 100.  This can be modified by the following command to select the Primary device:

    firewall-A(M)-> set nsrp vsd-group id 0 priority 50

    To set the preempt option, enter the following command always on the device which has the lowest priority value. You should add this command on only one device, the device that you want to be always Master:

    firewall-A(M)-> set nsrp vsd-group id 0 preempt

    In the case of a failover scenario, let's say Firewall-B becomes the primary.  Later if the original Primary, Firewall-A (which has a lower priority and preempt configured) recovers, Firewall-A will take back the Primary role.  For more information on the priority and preempt commands, refer to KB11373.

  12. [Recommended]  Configure the NSRP clusters for management by adding a mange-ip on the VSI interface: 

    When configured in the Active/Passive HA setup,  there are situations where we need to manage both the Primary and Backup firewall at the same time.  To achieve this, we need to configure a manage-ip on the VSI interface of the Primary and Backup firewall; this address must be a unique IP from the same subnet as the VSI interface network.

    firewall-A(M)-> set interface e0/1 manage-ip

    On the backup firewall, you can configure IP

    firewall-B(B)-> set interface e0/1 manage-ip

    For more information on configuring a manage IP, see KB4059.

Modification History:

2017-12-07: Added ScreenOS Tag wherever necessary
2020-01-24: Article reviewed for accuracy. No changes made. Article is correct and complete.
2020-09-13: Article reviewed for accuracy. Updated products affected

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search