Similar to the options provided on the low-end range of NetScreen firewalls, NSRP provides a number of different methods that can be used to determine when a failover should be initiated. While the options in some cases may seem identical to their low-end cousins, do not confuse them they are distinctly different, albeit subtly so. Also, if you recall from the earlier discussion, the low-end range of NetScreen firewalls provided VPN monitoring as one of the many ways to determine the failover point. This particular feature is not present when using NSRP because it not considered necessary or appropriate at this level; it is only really useful on the small firewalls.

If you really like that feature, you can achieve almost the same thing using IP tracking towards one or many hosts that are reachable only through the VPN. For cases where there are no known hosts behind the VPN, simply tracking the VPN gateway may be sufficient.

Before going into detail about how to detect the need for a failover, let's look at a list of things that are already reason enough to fail over:

• Software crashes

• Hardware or power failure

• Link failure on monitored interfaces or zones

• Unavailability of one or more tracked IP addresses

The first two items, software and hardware failure, are detected automatically without any need for explicit configuration. The latter two items are available to provide flexibility in determining whether to fail over or not, and must...