topic Re: Clustering question in Firewall and Security Management

Clustering question

the_rock — Wed, 10 Feb 2021 16:46:36 GMT

Hey guys,

I have unique inquiry from the customer, but not sure if this is something that can be done easily or not. Here is the situation...customer has main Internet gw (I believe 6000 model) and we upgraded it from R77.30 to R80.40 and that worked, BUT, what they wanted to do is add another brand new 6000 model into a cluster with current Internet fw, but keep the main fw IP as the clustered IP. We attempted this couple of months back, but ran into huge roadblock, where we had to change default gw, then dns was all messed up, and it turned out to be a nightmare.

TAC tried helping us, but even person on the phone was stuck, so we just decided to abandon the whole idea and revert the changes.

Here is my question, is there a good process or steps on how this should be done? Not sure if anyone attempted to do this before. Say, if you have main Internet fw and main IP is 50.60.70.90 and you want to keep SAME IP as the clustered VIP, is that even doable? I read the R80.40 cluster guide and could not find anything about scenario like this (unless I did not look hard enough : ))

Anyway, if anyone has any ideas, suggestions, would be greatly appreciated!

Andy

Re: Clustering question

Chris_Atkinson — Thu, 11 Feb 2021 00:48:57 GMT

How large is the subnet that the existing VIP resides in and are there spare addresses as that might be a factor in determining your options...

To that end sk32073 describes a similar scenario based on the limited information currently available here.

Re: Clustering question

the_rock — Thu, 11 Feb 2021 01:44:38 GMT

Thanks Chris. Sadly, that sk does not apply to our scenario, as IPs would be from the same subnet.

Andy

Re: Clustering question

Chris_Atkinson — Thu, 11 Feb 2021 02:06:28 GMT

Did you approach it as though this was a hardware change or some other method, why the default route change?

I can imagine some ARP tables might need to be cleared, but otherwise should be entirely achievable.

Re: Clustering question

the_rock — Thu, 11 Feb 2021 02:15:20 GMT

I would have to go through all my notes from that weekend change couple of months back, but I do recall there was some IP conflict we encountered, hence the change. I specifically remember the person we spoke to from TAC kept saying that we did not have to change any routes or anything, but 2 hours later, with his instructions, vpn was not working, Internet was down...it was a hot mess, to put it bluntly. Im just trying to figure out if there is a specific method to doing this correctly...

Re: Clustering question

RS_Daniel — Thu, 11 Feb 2021 02:31:25 GMT

Hi,

Possible but needs a lot of planning according to your enviroment.

1. Create a table defining the ip addresses for cluster and members for every interface
2. Prepare script with routes, interfaces, etc for the new gateway
3. Install the new gateway, configure with previous script
4. Take captures for Network topology, IA configuration, vpn domain, remote access, etc in the old gateway object at smartconsole
5. Reset SIC in old gateway, NOT INITIALIZE
6. Remove the old gateway object from all VPN communities (do not delete the communities)
7. Disable VPN blade in old gateway object, publish
8. Change the name and ipv4 of the old gateway object, publish
9. Enable vpn blade again in old gateway, publish, delete VPN certificate, accept warnings, a new cert will be created. Publish
10. Create cluster object in smartconsole, use the IP address you want to Keep as VIP, go to cluster members and write the hostname of the new gateway, put IP and SIC password
11. In the cluster object Get interfaces without topology, at this moment the cluster has only one member, the new gateway.
12. Copy all the configuration from the captures from step 4 (IA, remote access, IA, etc)
13. Check all the places where old gateway was used and replace with the cluster (rigth click, where used)
14. Add the cluster object to VPN communities
15. Push policy (services outage)
16. Unplug old gateway, plug new gateway
17. Change hostname in old gateway trough CLI, reset SIC
18. Change interfaces IPs in old gateway according to your table in step one
19. Plug cables again to old gateway
20. Put the new SIC password in smartconsole for old gateway
21. Add old gateway to cluster
21. Get interfaces in cluster without topology
22. Push policy
23. Install licences contracts, check services.

Re: Clustering question

the_rock — Thu, 11 Feb 2021 02:37:17 GMT

Thanks a lot for taking time to write all of that up, thats actually helpful. See, when we were on the phone with TAC while doing this, we actually followed most of the steps, BUT, not necessarily exactly the way you wrote them (specially part about SIC and vpn). What makes this very tricky is that current single gateway is their main Internet firewall. I will certainly review all the steps you listed.

Re: Clustering question

Vladimir — Thu, 11 Feb 2021 04:46:30 GMT

FYI, I've run a few times in a situation where upstream service provider's (ISP's) equipment was not refreshing arp after cluster topology changes were made.

If you are doing it by the book and are still running into the problem, ask ISP to clear the arp cache on their side.

Other than that, it is entirely doable. Backups are your friends on both, management and the existing gateway, to assure safe fallback.