topic Re: Change External Interface from 1G to 10G in Firewall and Security Management

Change External Interface from 1G to 10G

Darina2019 — Fri, 31 Dec 2021 06:56:35 GMT

Hello Mates,

I have a challenging question to all of you and hope you can help with advise on the Proper plan.

My case is that, I have three gateways cluster, which I need to change their external interface from one physical interface to another, currently on 1 G, I need to move it to 10G. All the IP addresses on the Interfaces on all three gateways should be the same just I have to move the IPs on another physical interface. The issue is that my Management Server part of the MDS environment is located in another location and the only connectivity to the MDS ( other location) is via VPN from the location which I am making the pre-configuration. As this is external interface ( Public IPs/peer for the that site)once I attempt to shutdown and remove IPs from current external interface this will disconnect all the VPNs as the VIP of that external interface is peer for each VPN tunnel, so I will kick down my connection to the MDS/ CMA ( Management).

So my question is, is there easy way on the Gateway level that I can simply change the IP via command line/ interface file, without the need to " get interfaces with topology" on the Management. If not what is the best plan that you can suggest.

The eventual plan which comes to my mind is:

1. Configure new Interface with the same IPs as other with state down. ( if Gaia allow this as same IPs with same Netmask, will not be allowed to configure as far as I know)

2. Shutdown the old interfaces * this way I will lose the VIP on the external and my VPN connection will be down...

3. Set new Interfaces UP, but without Management Server( CMA/MDS) I will not be possible to point via Smart Console which is the VIP IP ( same OLD IP- re-used) so to push policy and finish the pre-configuration....

This is all that comes to my mind, but looks like I am not on the right way, so I am looking for your kind advise.

Could you please share you suggestion and better approach for that case?

Re: Change External Interface from 1G to 10G

_Val_ — Fri, 31 Dec 2021 08:35:52 GMT

You need out of band access to your MGMT servers to complete the operation. There is no any way around it here.

Re: Change External Interface from 1G to 10G

Bob_Zimmerman — Fri, 31 Dec 2021 09:41:22 GMT

Related to this, you may want to consider changing the external interface to a bond. Even if you don't add more than one interface, bonds abstract your logical interfaces (with the IP addresses) away from the physical hardware underpinning them. They make this kind of move much easier.

Re: Change External Interface from 1G to 10G

K_montalvo — Fri, 31 Dec 2021 15:35:32 GMT

@Bob_Zimmerman Thats a good idea but the thing is hes trying do change from 1G to 10G port and not sure if you can bond those interfaces with different physical duplexing and i assumed on 10G hes going to be using SFP instead of ethernet. So i would go as @_Val_ said confirm and out of band connection in order to work with the MGMT.

Re: Change External Interface from 1G to 10G

the_rock — Fri, 31 Dec 2021 17:04:47 GMT

@_Val_ is absolutely right...I dont see any other way myself either.

Re: Change External Interface from 1G to 10G

Bob_Zimmerman — Fri, 31 Dec 2021 18:09:42 GMT

You can. I've done it before to deal with this exact scenario.

The firewall application cares very deeply about the names of the interfaces you give it. This is why you have to update the topology table when you move an IP from a 1g to a 10g interface. Same thing if you move it from a 1g interface to a bond.

However, once the firewall application knows about, e.g., bond0, it doesn't care which physical interfaces make up bond0, or even how the bond is set up. I recommend using bonds for everything possible for this reason.

Re: Change External Interface from 1G to 10G

the_rock — Fri, 31 Dec 2021 18:17:51 GMT

Hey brother,

@Bob_Zimmerman is correct as well. In some cases, you are right, might not be optimal, but it works for sure. I had done it on Fortinet and CP before and never had an issue. You can mix 1 G and 10 G interfaces in a bond and works real well.

Re: Change External Interface from 1G to 10G

HeikoAnkenbrand — Fri, 31 Dec 2021 19:46:31 GMT

If you have an Open Server, there is an easy way.

Replace the PCI BUS IDs between 10 GBit and 1 GBit interface in the file "/etc/udev/rules.d/00-OS-XX.rules".

For example, if eth0 is a 1G interface and eth3 is a 10G interface, you only need to change the interface PCI bus ID.

After that you just have to reboot the gateway.

If it is an appliance, this hack will not work.