Best practice for HA cluster setup

Question

Hi all, 
 I have a customer who has a SG330 running for several years now. He also has a 2nd SG330 that was planned to be used as a "cold standby" device. Since that doesn't make any sence I want to change the setup to an active-standby HA configuration. The cold standby device was reinstalled with the same firmware as the running devices. 
 What is now the best way to set up clustering. Should I import the config backup on the freshly installed device and reinstall the actual running before I enable clustering or does it make more sense to add it to the actual running device for some reason? I don't have any practical experience with UTM clustering yet. 
 The running device has two pppoe connections, I guess the best way will be to add 2 VLANs on the core switch for that where both relevant interfaces and the modem's interface will be in? Or is a "dumb" (desktop) switch the better solution? Is there anything to care about like pppoe timeouts or sth. like that?

BAlfson · Answer

It's easier than you suspect, Kevin. All of my clients with an SG 135 or larger are in Hot-Standby with a 2nd, duplicate appliance: 
 1. Do a quick, temporary install so that the new device can download Up2Dates if needed. 2. Apply the desired Up2Dates (if possible, stop at 9.508 today), do a factory reset and shutdown. 3. On the current UTM in use, on the 'Configuration' tab of 'High Availability': a. Enable Hot-Standby b. Select eth3 as the Sync NIC c. Configure it as Node_1 d. Enter an encryption key (I've never found a need to remember it) e. Select 'Enable automatic configuration of new devices' f. I prefer to use 'Preferred Master: None' and 'Backup interface: Internal' 4. Cable eth3 to eth3 on the new device. 5. Cable all of the other NICs exactly as they are on the original UTM. 6. Power up the new device and wait for the good news. [;)] 
 This old diagram also suggests using LAGs and duplicate switches for greater failover protection. 
 Cheers - Bob