New Features In Firewall Builder 4.0 - Page 3

Want to support HowtoForge? Become a subscriber!
 
Submitted by vkfwb (Contact Author) (Forums) on Mon, 2010-05-10 15:56. ::

Failover and state synchronization groups in a Linux cluster

All failover protocols available on Linux do not create their own interfaces on the firewall machine. This includes heartbeat, vrrp, OpenAIS. To build Linux cluster configuration in Firewall Builder, create cluster interfaces using the same name as corresponding member firewall interfaces as shown in Figure 8. Actual mapping between the cluster interface and corresponding member firewall interfaces is done in the dialog that opens when you double click on the Failover Group object that associated with this cluster interface.

Figure 8. Failover group objects and mapping between cluster and member interfaces

Failover group objects and mapping between cluster and member interfaces

Figure 9. State synchronization group object

State synchronization group object

Detailed overview of the Linux cluster configuration in Firewall Builder is available in the chapter Linux cluster configuration with Firewall Builder” in Firewall Builder 4.0 User's Guide. Examples of cluster configurations built with VRRPD or heartbeat are provided in the chapter Examples of cluster configurations” in Firewall Builder 4.0 User's Guide.

 

Failover and state synchronization groups in an OpenBSD cluster

OpenBSD cluster built with CARP failover protocol and pfsync state synchronization protocol looks little different. CARP uses its own special interface "carp0" as a configuration and management mechanism on OpenBSD. In Firewall Builder, this is reflected in the name of the cluster interface object which becomes "carp0" or "carp1". State synchronization protocol, likewise, uses interface "pfsync0". Activation script created by Firewall Builder for the PF cluster includes commands that set up both carp and pfsync interfaces and assign parameters. Interface mapping between OpenBSD cluster object and corresponding member firewall objects is shown in Figure 10. To configure this mapping, open Failover Group or State Synchronization group object in the editor by double clicking it in the tree.

Figure 10. OpenBSD cluster: failover and state synchronization group objects and mapping between cluster and member interfaces

OpenBSD cluster: failover and state synchronization group objects and mapping between cluster and member interfaces

In this example interface carp0 defines CARP protocol instance running on inetrfaces em0 of two member firewalls and the second instance of CARP protocol (carp1) uses interfaces pcn0.

Detailed overview of the OpenBSD cluster configuration in Firewall Builder is available in the chapter OpenBSD cluster configuration with Firewall Builder” in Firewall Builder 4.0 User's Guide.

 

Failover and state synchronization groups in a PIX cluster

Firewall Builder supports PIX "LAN based" failover configuration. Unlike in Linux or BSD, where each interface of the firewall runs its own instance of failover protocol, PIX runs one instance of failover protocol over dedicated interface. PIX can also run state synchronization protocol over the same or another dedicated interface. These dedicated interfaces should be connected via separate switch and do not see regular traffic. Here is how this is implemented in Firewall Builder.

Like with all other supported firewall platforms, interface objects that belong to a cluster object serve to establish association between actual interfaces of the member firewalls. Cluster interface object should have the same name as corresponding member firewall interfaces. It should have Failover Group child object which should be configured with interfaces of the member firewalls. Here is an example of interface mapping between cluster and member firewalls:

Figure 11. PIX cluster: failover group object and mapping between cluster and member interfaces

PIX cluster: failover group object and mapping between cluster and member interfaces

PIX does not use special shared IP addresses for the cluster, therefore cluster interface objects in Firewall Builder do not have IP addresses. Interface "Ethernet2" in the screenshot above is used for the dedicated failover connection; the object that represents it in each member firewall should be marked as "Dedicated failover interface". This is new attribute of the Interface object added in Firewall Buidler 4.0.

Cluster object should have State Synchronization group child object. In this object you need to configure member interfaces that should be used for state synchronization. You can use separate dedicated interfaces or the same interfaces used for failover. If these are separate, corresponding interface objects of the member firewalls must be marked as "Dedicated Failover".

One of the member firewall interfaces used in the State Synchronization group must be marked as "master". This is where you define which PIX unit is going to be the primary and which is going to be the secondary in the HA pair.

Here is an example of the state synchronization and failover using the same interface Ethernet2:

Figure 12. PIX cluster: state synchronization group object

PIX cluster: state synchronization group object

Detailed overview of the PIX cluster configuration in Firewall Builder is available in the chapter PIX cluster configuration with Firewall Builder” in Firewall Builder 4.0 User's Guide.


Please do not use the comment function to ask for help! If you need help, please use our forum.
Comments will be published after administrator approval.