topic Re: Adding a VLAN Interface into firewall cluster in Firewall and Security Management

Adding a VLAN Interface into firewall cluster

SriNarasimha005 — Fri, 16 Oct 2020 17:53:47 GMT

Hi Experts,

We're planning to add a VLAN Interface into the firewall cluster (R77.30) and the Smart console version is R80.30

Have gone through SK57100 which says 'maintenance window' is required and it may cause an outage when fetching the topology.

While the article sk118518 says it can be done without fetching the topology and the plan is:-

To create a VLAN interface on both the firewalls via Gaia portal

Smart console -> Create a new Interface with 'cluster'

Create the interface with VIP address and click on Modify -> Enter the gateway members interface IP addresses of both the firewalls

Enable Anti-Spoofing

Save and install the policy.

With this option, believe anti-spoofing isn't overridden for other interfaces or no topology/routing changes will be made.

Is this correct way to do or can you please suggest the best way to achieve this without any outage or failover.

Thanks,

Re: Adding a VLAN Interface into firewall cluster

Kaspars_Zibarts — Fri, 16 Oct 2020 18:30:07 GMT

What you described should work totally ok. Wether to do manual spoofing or fetch topology automatically is a personal choice. We use automated option and never really had any problems. No interruptions or failovers during configuration. I just find manual prone to errors if you have high number of interfaces and routes.

Re: Adding a VLAN Interface into firewall cluster

SriNarasimha005 — Sat, 17 Oct 2020 14:33:24 GMT

Hi Kaspars,

Thanks for the reply.

Hope by adding this, new interfaces will be reported when the "cphaprob -a if" issued.

Also, can you please suggest what rollback option should be followed to minimize the outage (if something goes wrong)? Just by reverting the installation history or by reverting the snapshot.

Thanks.