topic Cluster XL - Interface Preference in General Topics

Cluster XL - Interface Preference

Luis_Miguel_Mig — Tue, 05 Mar 2019 11:07:14 GMT

Hi,

could a firewall that is connected to different segments have different monitoring preference per interface?
So for example, if there is a failure in a segment that it is not very important, I would like the cluster to failover if it is necessary.

But if there is a second failure on a segment that it is more important I would like the cluster to failover again it was necessary because that segtment is more important.

monitored interfaces don't suit in this scenario because I need the cluster virtual IP.

$FWDIR/conf/discntd.if could work, so I can exclude the less important segment from monitoring. However, I have read that FWDIR/conf/discntd.if is not relevant in versions above R77.20

Thanks.
Luis

Re: Cluster XL - Interfance preference

Timothy_Hall — Tue, 05 Mar 2019 14:51:29 GMT

All ClusterXL HA interfaces defined as "Cluster" where a Cluster/Virtual IP is being presented have essentially equal priority. The ClusterXL HA cluster member with the most working interfaces will "win" via CCP and go active. You can define an interface as Private and therefore non-monitored, but I don't think there is any way to present a Cluster/Virtual IP on an interface defined that way. You might be able to play some games with proxy ARP on the Private interface though.

Your request can be done with VRRP however using different priority deltas. For a non-critical interface define a low priority delta that upon failure will not degrade the effective priority of the Master below the base priority of the Backup. However if another interface now fails on the Master, that interface's priority delta will be enough to drop the effective priority of the Master below the base priority of the Backup, and a full failover will occur (assuming you have set up monitored circuits correctly).

Generally I try to avoid VRRP in favor of ClusterXL though, with VRRP it is way too easy to cause split-brains and routing back holes if everything is not set up 100% correctly.

--
"IPS Immersion Training" Self-paced Video Class
Now Available at http://www.maxpowerfirewalls.com

Re: Cluster XL - Interfance preference

Luis_Miguel_Mig — Tue, 05 Mar 2019 15:22:41 GMT

And what about $FWDIR/conf/discntd.if? Does it work in R80.20?
And would it make sense to run a cluster interface (added to $FWDIR/conf/discntd.if) with the purpose of avoiding HA states changes due to changes in that cluster interface? Just wondering if there is any drawback in adding interfaces to $FWDIR/conf/discntd.if that I can't foresee.

Re: Cluster XL - Interfance preference

Timothy_Hall — Wed, 06 Mar 2019 03:06:17 GMT

I don't think discntd.if is supported any more in R77.30 and later, since an interface can just be defined as "Private" in the SmartConsole which is basically the same thing. Also if the interface does not appear in the Cluster topology at all (but is defined in the Gaia OS) ClusterXL will just ignore it in R77.30+. I don't think creating the discntd.if file will have any effect but you are welcome to try.

--
"IPS Immersion Training" Self-paced Video Class
Now Available at http://www.maxpowerfirewalls.com

Re: Cluster XL - Interfance preference

Luis_Miguel_Mig — Wed, 06 Mar 2019 10:03:36 GMT

I suppose the difference is that discntd.if would allow me to have a non monitored cluster interface vs the private interface that wouldn't allow me to have a virtual IP

Re: Cluster XL - Interfance preference

G_W_Albrecht — Fri, 08 Mar 2019 09:44:08 GMT

In Next Generation Security Gateway Guide R80.20 p.22, the discntd.if file is used to implement Mirror and Decrypt in Gateway mode - so it is still used...

Re: Cluster XL - Interfance preference

Luis_Miguel_Mig — Fri, 08 Mar 2019 10:31:33 GMT

Ok, thanks. It sounds good

Re: Cluster XL - Interfance preference

G_W_Albrecht — Fri, 08 Mar 2019 11:53:36 GMT

Next Generation Security Gateway Guide R80.20 also does explain changing the discntd.if file in VSX environment...