High Availability Deployment

Transcription

1 April 18, 2005 Overview Introduction This addendum provides connectivity and configuration task overviews for connecting two M appliances as a high availability (HA) cluster pair. For detailed configuration procedures, refer to the Proventia M Series Appliance User Guide or the Help. Important: YOU MUST INSTALL THE 2.2 FIRMWARE UPDATE TO ENABLE THE HIGH AVAILABILITY FEATURE. IF YOU ARE UPGRADING USING EXISTING APPLIANCES, ALL NETWORK CONFIGURATION SETTINGS, SECURITY GATEWAYS, AND NETWORK ADDRESS TRANSLATIONS MUST BE EDITED PRIOR TO ENABLING HIGH AVAILABILITY. What s new in this update This firmware update version 2.3 includes improvements and bug fixes for the high availability failover protection feature firmware version 2.2 and other items. The model number for your appliance, and the firmware update version that you last installed, appear in the System Status area of the Proventia Manager Home page. Reference: For the most current information about product issues and updates, see the Proventia M Series Appliances Readme on the ISS Download Center at In this document This document contains the following topics: Topic Page Updating the Firmware 2 High Availability Deployment 3 Connecting the Appliances for High Availability 7 Task Overview for High Availability Configuration 8 DOC-ADD-PROVISAM-002-A 2005 Internet Security Systems, Inc. All rights reserved worldwide. 1

2 Updating the Firmware Introduction Before you begin, you must install the 2.2 and 2.3 firmware update packages. Use the following instructions if your appliance does not have access to the Internet. If you do have Internet access, use the instructions found in the Help and the Proventia M Series Appliances User Guide. Note: If you are planning to use existing M appliances for your high availability deployment, you can re-use existing IP addresses, however, they must be re-configured. All network configuration settings, security gateways, and NAT policies must be edited prior to enabling high availability. Updating the firmware To update the appliance firmware without an Internet connection: 1. Use an SCP (session control protocol) client to copy the firmware.pkg file into your / var/spool/updates directory of a Proventia M running firmware Access Proventia Manager, and click. 3. Click the Click here for more information link. The firmware update files appear in the Updates Available to Install list. 4. Click Install Firmware Updates. 5. The appliance installs the firmware update, and then reboots. Important: You can view the status of the installation in the Update History table on the Update Status page. Some firmware updates require that you reboot your appliance. For more information about product issues and updates, see the Proventia M Series Readme on the ISS Download Center at Reference: For more information about firmware update reboot and database update considerations, see The Proventia M Appliances User Guide. After installing the update, the System Status information displays the firmware version. Both appliances MUST be running the same firmware version. 6. Shutdown the appliances and complete the tasks outlined in Connecting the Appliances for High Availability on page 7 and Task Overview for High Availability Configuration on page 8. Note: Refer to High Availability Deployment on page 3 for additional information. Contents of document subject to change.doc-add-provisam-002-a 2

3 High Availability Deployment Introduction This topic describes a typical deployment scenario for using the Proventia M Series appliances in a high availability environment. It includes the following: a logical diagram for a standard HA deployment a physical network diagram for a standard deployment You can manage your HA appliance cluster from Proventia Manager. If you use a SiteProtector console to manage your appliances, you can manage the HA cluster from the SiteProtector Agent Manager. Using existing appliances You can update the firmware and use existing Proventia appliances in an HA cluster. You must assign new unique IP addresses to all static interfaces on both the primary and secondary appliances. Use the existing static IP addresses as the HA virtual IP addresses. Some additional configuration may be required Note: In the case of a 3-port M appliance, you only can keep the internal and external network IP addresses. The former DMZ interface becomes the dedicated HA interface. VPN policy considerations and other restrictions Consider the following before you enable the high availability (HA) feature: If you run the Proventia Setup utility when the HA feature is enabled, do not modify network settings.use Proventia Manager. If you use SiteProtector to manage your appliances and your secondary appliance is already registered with a SiteProtector Agent Manager, you must unregister the secondary appliance from SiteProtector after you enable HA. After you enable HA, you cannot change network settings for either appliance in the cluster. This restriction also applies to HA clusters that you may manage with SiteProtector. If the primary appliance fails, it loses all existing connections. This is known as warm failover. The primary appliance loses FTP, VPN and other TCP persistent connections, and you must reconnect them on the secondary appliance. For HTTP connections, refresh your browser or press F5 to regain the ability to create an Internet connection. When you enable or disable the HA feature, the appliance uses the virtual IP address to route traffic. The virtual IP address replaces the Local ID data (local IP address) for each appliance. When you set up a security gateway with an IP address as the Local ID, you must use the first virtual IP address for the interface as the Local ID value. Do not use any of the following: an alias an IP address using a proxy ARP the second or later virtual IP address If you have created NAT rules, IPSEC policies, security gateways, or other policies that use this Local ID data, then those policies or rules are invalidated. When you enable or disable HA, the appliance generates alerts that describe the invalidated policy. You must edit these policies to include the new IP address Contents of document subject to change. 3

4 information. Use the alerts on the Alert Event Log page to identify the firewall or VPN policies that you must edit after you enable or disable the HA feature. Caution: If you reboot the appliance before you edit these policies, your VPN connections will not function. Prerequisites To use the high availability feature you must do the following: Requirement Acquire Licenses Edit existing policies and configurations Add required access policies and Source NAT Rule Licenses are not synchronized between M appliances. Each appliance must have its own unique license. You must edit existing policies as follows: You must configure all firewall access polices, VPN configurations and external DNS entries to use the virtual IP addresses. If you have created firewall policies or rules that use a static IP address, then you must revise those policies or rules. CAUTION: When you enable or disable the high availability feature, the appliance uses the virtual IP addresses to route traffic. In the case of access policies, IPSEC policies, NAT policies, or proxy redirection rules, change any IP address information that references a static interface address to one of the virtual IP addresses, or disable the policy, as appropriate. You must remove and then re-add conflicting security gateways. If Source or Destination NAT Rules reference a static IP address (physical interface), you must change the IP address for the rule to match the virtual IP address of that interface. The Hide NAT Source Rule is enabled by default. This Many-to- One configuration translates all non-routable IP addresses to the IP address of the eth1 interface. If you use the high availability feature, you must edit the Hide NAT Source Rule. On the Translated Address tab, change the IP address entry to the virtual IP address for the HA cluster. When you set up a security gateway with an IP address as the Local ID, you must use the first virtual IP address for the interface as the Local ID value. Do not use any of the following: - an alias - an IP address using a proxy ARP - the second or later virtual IP address You must add three new firewall access policies and a Source NAT Rule before you begin HA configuration. See High Availability Access and NAT Policies in the Help or Proventia M Series Appliances User Guide. Table 1: HA prerequisites Contents of document subject to change.doc-add-provisam-002-a 4

5 Requirement Select Dedicated HA Interface IMPORTANT: Each appliance must dedicate the same HA interface. Match any of the available interfaces eth2 through eth7; the number of available interfaces varies depending on your appliance model. Do not use INT0 (eth0) or EXT1 (eth1) for your high availability interface. This simplifies use of HA functionality, and provides good throughput when the appliances share state information. Use the same appliance model for both the primary and secondary device. Example M30 to M30 The HA interface must be on a dedicated private network to prevent attacks from entering the network via the HA interfaces. Do not route user network traffic across the dedicated HA interfaces. Table 1: HA prerequisites (Continued) Logical HA deployment diagram The example below shows a logical network diagram of a standard high availability cluster deployment. In this example, there is only one external IP address: The appliances use non-routable IP addresses for their external interface: Figure 1: Logical HA diagram for standard deployment Contents of document subject to change. 5

6 Physical HA deployment network diagram A physical network diagram of a typical HA deployment scenario is shown in Figure 2: Figure 2: HA physical network diagram Item 1 primary external interface 2 secondary external interface 3 primary internal interface 4 secondary internal interface HA LAN high availability interface local area network Table 2: HA physical network diagram legend Contents of document subject to change.doc-add-provisam-002-a 6

7 Connecting the Appliances for High Availability Connecting the Appliances for High Availability Introduction This topic describes how to connect two appliances for a high availability cluster pair. Connecting the cables To connect the appliance cables: Important: Make sure both appliances are turned OFF. Step Action 1 Connect the primary appliance to your internal network hub/switch using the INT0 port interface. 2 Connect the primary appliance to your external network hub/switch using the EXT1 port interface. 3 Cross connect the eth2 interfaces on each M appliance by using a crossover cable, or straight cables in combination with a hub/switch. Note: You must use the same port on both appliances. 4 Connect the secondary appliance to your internal network using the INT0 port interface. 5 Connect the secondary appliance to your external network using the EXT1 port interface. 6 Connect the secondary appliance to the primary appliance using the HA interface port (eth2). 7 Complete the configuration procedures on both appliances as described in Task Overview for High Availability Configuration on page 8. Table 3: Steps for connecting HA appliances Contents of document subject to change. 7

8 Task Overview for High Availability Configuration Introduction This topic offers a general task overview for configuring your Proventia M Integrated Security appliances for high availability. Important: Both appliances MUST be running the same firmware version prior to making any policy changes. Reference: Refer to the Proventia M Quick Start Guide associated with your appliance model for Proventia Setup utility instructions. Caution: When you enable or disable the HA feature, the appliance uses the virtual IP addresses to route traffic. If you have created firewall policies, NAT policies, or rules that use a static IP address, then you must revise those policies or rules. In the case of access policies, IPSEC policies, NAT policies and proxy redirection rules, change any IP address information that references a static interface address to one of the virtual IP addresses, or disable the policy, as appropriate. You must remove and then re-add conflicting Security Gateways. If you reboot the appliance before you edit these policies, your VPN connections will not function. Access policies and network objects Before you enable the high availability feature, you must create three access policies and one source NAT policy to allow the appliances to communicate and receive updates. Before you create the access policies, you must create specific network objects. Note: Refer to the Proventia M Series Appliance User Guide or the Help for a complete list of the network objects and access policies required for high availability. The required policies and objects include: an Address Name network object for the static IP address ranges of all enabled interfaces, including the HA interface an Address Name network object for the static IP address range of the HA interface only. an Address Name network object to allow the secondary node to receive updates a network address translation (NAT) policy to specify the source NAT for the secondary node. The access policies must be applied to both appliances in the HA cluster. You must add the HA access policies before you migrate other policies. Tip: Open two browser windows so that you can easily access both appliances during the initial configuration process. Contents of document subject to change.doc-add-provisam-002-a 8

9 Task Overview for High Availability Configuration Task Overview: Configuring the primary HA appliance To configure the primary appliance, perform the following tasks: Task 1 On the primary appliance, perform initial network connection and use the Proventia Setup Utility to complete configuration steps. IMPORTANT: Configure only your internal (INT0) and external (EXT1) interfaces. When you configure the external interface, use the external virtual IP address of the alternate node in the static IP address Gateway field. 2 Access Proventia Manager. 3 Assign all unique IP addresses to the appliance. Note: ISS recommends that you use the HA interface of the alternate node as the gateway. You can also add and configure any additional external interfaces or internal interfaces, such as a DMZ interface. 4 Create the Address Name network objects, as described in High Availability Access and NAT Policies. 5 Add required HA access polices and NAT policy: Allow policy synchronization over HA network Allow UDP heartbeat on all enabled interfaces Allow updates 6 Add the required Source NAT Rule to provide source NAT address for the secondary appliance. 7 If you have created firewall policies or rules that use a static IP address, then you must revise those policies or rules to use the HA virtual IP addresses. In the case of access policies, IPSEC policies, NAT policies, or proxy redirection rules, change any IP address information that references a static interface address to one of the virtual IP addresses, or disable the policy, as appropriate. You must remove and then re-add conflicting security gateways. Note: If Source or Destination NAT Rules reference a static IP address (physical interface), you must change the IP address for the rule to match the virtual IP address of that interface. Table 4: HA primary appliance configuration tasks Task Overview: Configuring the secondary HA appliance To configure the secondary appliance, perform the following tasks: Task 1 On the secondary appliance, perform initial network connection and use the Proventia Setup Utility to complete configuration steps. IMPORTANT: Configure only your internal (INT0) and external (EXT1) interfaces. 2 Connect network connections for the secondary appliance to your internal and external network interfaces. Connect both appliances using a crossover cable to each HA interface (eth2 or greater). This is your heartbeat communication connection. You must use the same port on the same appliance model. 3 Access the Proventia Manager. Table 5: Tasks for configuring the secondary appliance Contents of document subject to change. 9

10 Task 4 Assign all unique IP addresses to the appliance. You can also add and configure any additional external interfaces or internal interfaces, such as a DMZ interface. 5 Create the Address Name network objects, as described in High Availability Access and NAT Policies topic in the Help or the Proventia M Series Appliances User Guide. 6 Add the first two required HA access policies: Allow policy synchronization over the HA network Allow UDP heartbeat on all enabled interfaces For the secondary appliance, you are not required to add the access policy to allow updates or the Source NAT Rule, because the first two access policies allow HA functionality. The secondary appliance can receive the third access policy to allow updates and the Source NAT Rule from the primary appliance after you enable HA. 7 Add the required Source NAT Rule to provide source NAT address for the secondary appliance. 8 If you have created firewall policies or rules that use a static IP address, then you must revise those policies or rules to use the HA virtual IP addresses. In the case of access policies, IPSEC policies, NAT policies, or proxy redirection rules, change any IP address information that references a static interface address to one of the virtual IP addresses, or disable the policy, as appropriate. You must remove and then re-add conflicting security gateways. If Source or Destination NAT Rules reference a static IP address (physical interface), you must change the IP address for the rule to match the virtual IP address of that interface. The Hide NAT Source Rule is enabled by default. This Many-to-One configuration translates all non-routable IP addresses to the IP address of the eth1 interface. If you use the high availability feature, you must edit the Hide NAT Source Rule. On the Translated Address tab, change the IP address entry to the virtual IP address for the HA cluster. 9 Log out of the secondary appliance. Table 5: Tasks for configuring the secondary appliance (Continued) Task Overview: Enabling HA To enable HA, perform the following tasks: Task 1 Use the primary appliance unique internal IP address to connect to the Proventia Manager interface. Important: Do not use the virtual IP address. Enable and configure HA only on the primary appliance. 2 Expand System node, select High Availability, select the Base Configuration tab, Select the HA Enabled check box. 3 Complete the required settings on the Base Configuration tab, provide the virtual IP address, provide the static IP addresses of the secondary appliance on the Alternate Node Interface tab 4 Configure Monitor IP Addresses, and click Save Changes. Table 6: Enabling HA Contents of document subject to change.doc-add-provisam-002-a 10

11 Task Overview for High Availability Configuration Task 5 Go to the System Status area on the Home Page and make sure that the High Availability Active Status is Running. 6 If your secondary appliance is already registered with SiteProtector Agent Manager, unregister the secondary appliance from the SiteProtector Agent Manager. 7 Configure SiteProtector management (optional). Table 6: Enabling HA Task Overview: Disabling HA To disable HA, complete the following tasks: Task 1 Use the one of the following to connect to the Proventia Manager interface on the primary appliance: the static IP address of the primary appliance the virtual IP address of the cluster 2 Expand System node, select High Availability, select the Base Configuration tab. 3 Clear the HA Enabled check box, and then click Save Changes. 4 Go to the System Status area on the Home Page and make sure that the High Availability Active Status is Stopped. Table 7: Task Overview: Disabling HA When to use virtual IP addresses Perform management tasks on your high availability appliances using the virtual IP addresses only. Use the static interface IPs when you must connect to each appliance individually to install firmware updates, perform a system backup, or restore from a system backup. Copyright , Internet Security Systems, Inc. All rights reserved worldwide. Internet Security Systems, the Internet Security Systems logo, Proventia and SiteProtector are trademarks of Internet Security Systems, Inc. Other marks and trade names mentioned are marks and names of their owners as indicated. All marks are the property of their respective owners and used in an editorial context without intent of infringement. Specifications and content are subject to change without notice. Contents of document subject to change. 11

12 Contents of document subject to change.doc-add-provisam-002-a 12