CARP allows multiple hosts to share a set of IP addresses. These IP addresses are known as virtual IPs, and they provide a layer of abstraction above the actual hardware. Thus, if the primary firewall goes down, the secondary firewall takes over and the virtual IPs will now refer to the interfaces on the secondary firewall. Computers on either side of the firewall are unaware of what has happened, and operation continues as normal.

Adding the virtual IPs is critical, as it provides a means of interacting with the firewall’s interfaces that will remain constant even in the event of a hardware failure. It is also critically important that we have a means of synchronizing data between the firewalls. The PFSYNC interface provides such a means.