: Configure Active/Passive HA on AWS Using a Secondary IP
Focus
Focus

Configure Active/Passive HA on AWS Using a Secondary IP

Table of Contents
End-of-Life (EoL)

Configure Active/Passive HA on AWS Using a Secondary IP

Complete the following procedure to deploy new VM-Series firewalls as an HA pair with secondary IP addresses.
All VM-Series firewall interfaces must be assigned an IPv4 address when deployed in a public cloud environment. IPv6 addresses are not supported.
  1. Before you deploy the VM-Series firewalls for you HA pair, ensure the following:
    • Refer to the VPC Planning Worksheet to ensure that your VPC is prepared for the VM-Series firewall.
    • Secondary IP Move HA requires VM-Series plugin 2.0.1 or later.
    • Deploy both HA peers in the same AWS availability zone.
      Starting with VM-Series plugin 2.0.3, you can deploy the HA peers in different availability zones. Although this type of deployment is not recommended, it is supported.
    • Create an IAM role and assign the role to the VM-Series firewalls when you deploy the instances.
    • The active and passive firewalls must have at least four interfaces each—a management interface, an HA2 interface, an untrust interface, and a trust interface. Additionally, the trust and untrust interfaces on the active firewall must assigned a secondary IP address.
      The management interface must be used as the HA1 interface.
    • Verify that the network and security components are defined suitably.
      • Enable communication to the internet. The default VPC includes an internet gateway, and if you install the VM-Series firewall in the default subnet it has access to the internet.
      • Create subnets. Subnets are segments of the IP address range assigned to the VPC in which you can launch the EC2 instances. The VM-Series firewall must belong to the public subnet so that it can be configured to access the internet.
      • Create a data security group that includes the firewall data interfaces. Additionally, configure the security to allow all traffic (0.0.0.0/0), so security is enforced by the firewalls. This is required to maintain existing sessions during failover.
      • Add routes to the route table for a private subnet to ensure that traffic can be routed across subnets and security groups in the VPC, as applicable.
    • If you are bootstrapping the firewall, create the necessary S3 bucket containing the required bootstrap files.
    1. If your VM-Series firewalls do not have the VM-Series plugin 2.0.1 or later installed, upgrade the plugin before continuing.
    2. Configure ethernet 1/1 as the HA2 interface on each HA peer.
      1. Open the Amazon EC2 console.
      2. Select Network Interface and then choose then select your network interface.
      3. Select
        Actions
        Manage IP Addresses.
      4. Leave the field blank to allow AWS to assign an IP address dynamically or enter an IP address within the subnet range for the VM-Series firewall.
      5. Click
        Yes
        and
        Update
        .
      6. Select
        Actions
        Change Source/Dest. Check
        and select
        Disable
        .
      7. Repeat this process on the second (to be passive) HA peer.
    3. Add a secondary IP address to your dataplane interfaces on the first (to be active) HA peer.
      1. Select
        Network Interface
        and then choose then select your network interface.
      2. Select
        Actions
        Manage IP Addresses
        IPv4 Addresses
        Assign new IP
        .
      3. Leave the field blank to allow AWS to assign an IP address dynamically or enter an IP address within the subnet range for the VM-Series firewall.
      4. Click
        Yes
        and
        Update
        .
    4. Associate a secondary Elastic (public) IP address with the untrust interface of the active peer.
      1. Select
        Elastic IPs
        and then choose then select the Elastic IP address to associate.
      2. Select
        Actions
        Associate Elastic IP
        .
      3. Under
        Resource Type
        , select
        Network Interface
        .
      4. Chose the network interface with which to associate the Elastic IP address.
      5. Click
        Associate
        .
    5. For outbound traffic inspection, add an entry to the subnet route table that sets the next hop as the firewall trust interface.
      1. Select
        VPC
        Route Tables
        .
      2. Choose your subnet route table.
      3. Select
        Actions
        Edit routes
        Add route
        .
      4. Enter the
        Destination
        CIDR Block or IP address.
      5. For
        Target
        , enter the network interface of the firewall trust interface.
      6. Click
        Save routes
        .
    6. To use AWS Ingress Routing, create a route table and associate the internet gateway to it. Then add an entry with the next hop set as the active firewall untrust interface.
      1. Select
        Route Tables
        Create route table
        .
      2. (
        Optional
        ) Enter a descriptive
        Name tag
        for your route table.
      3. Click
        Create
        .
      4. Click your route table and select
        Actions
        Edit edge associations
        .
      5. Select
        Internet gateways
        and choose your VPC internet gateway.
      6. Click
        Save
        .
      7. Click your route table and select
        Actions
        Edit routes
        .
      8. For the
        Target
        , select
        Network Interface
        and choose the untrust interface of the active firewall.
      9. Click
        Save routes
        .
  2. Configure the interfaces on the firewall. You must configure the HA2 data link and at least two Layer 3 interfaces for your untrust and trust interfaces. Complete this workflow on the first HA peer and then repeat the steps on the second HA peer.
    1. Log in to the firewall web interface.
    2. Select
      Network
      Interfaces
      Ethernet
      and click on your untrust interface. In this example, the HA2 interface is 1/1, the trust interface is ethernet 1/2, and the untrust interface is ethernet 1/3.
    3. Click the link for
      ethernet 1/1
      and configure as follows:
      • Interface Type
        :
        HA
    4. Click the link for
      ethernet 1/2
      and configure as follows:
      • Interface Type
        :
        Layer3
      • On the
        Config
        tab, assign the interface to the default router.
      • On the
        Config
        tab, expand the
        Security Zone
        drop-down and select
        New Zone
        . Define a new zone, for example trust-zone, and then click
        OK
        .
      • On the
        IPv4
        tab, select
        DHCP Client
        .
      • Check
        Enable
        .
      • On the untrust interface, check
        Automatically create default route pointing to default gateway provided by server
        . This option tells the firewall to create a static route to a default gateway.
      • Repeat these steps for ethernet 1/3.
    5. Repeat the above steps on the passive peer.
  3. Enable HA.
    1. Select
      Device
      High Availability
      General
      .
    2. Edit the Setup settings.
    3. Enter the private IP address of the passive peer in the
      Peer HA1 IP address field
      .
    4. Click
      OK
      .
    5. Edit the
      Election Settings
      to specify a particular firewall to be the active peer. Enter a lower numerical
      Device Priority
      value on the active firewall. If both firewalls have the same Device Priority value, the firewall with the lowest MAC value on the HA1 control becomes the active firewall.
      Enabling preemption is not recommended.
    6. Click
      OK
      .
    7. Commit
      your changes.
    8. Repeat the above steps on the passive peer.
  4. Set up the Control Link (HA1) to use the management port.
    1. Select
      Device
      High Availability
      General
      , and edit the Control Link (HA1) section.
    2. (
      Optional
      ) Select
      Encryption Enabled
      , for secure HA communication between the peers. To enable encryption, you must export the HA key from a device and import it into the peer device.
      1. Select
        Device
        Certificate Management
        Certificates
        .
      2. Select
        Export HA key
        . Save the HA key to a network location that the peer device can access.
      3. On the peer device, navigate to
        Device
        Certificate Management
        Certificates
        , and select
        Import HA key
        to browse to the location that you saved the key and import it in to the peer device.
  5. Set up the Data Link (HA2) to use ethernet1/1.
    1. Select
      Device
      High Availability
      General
      , edit the Data Link (HA2) section.
    2. Select
      Port
      ethernet1/1.
    3. Enter the IP address for ethernet1/1. This IP address must be the same that assigned to the ENI on the EC2 Dashboard.
    4. Enter the
      Netmask
      .
    5. Enter a
      Gateway
      IP address if the HA1 interfaces are on separate subnets.
    6. Select
      IP
      or
      UDP
      for
      Transport
      . Use
      IP
      if you need Layer 3 transport (IP protocol number 99). Use
      UDP
      if you want the firewall to calculate the checksum on the entire packet rather than just the header, as in the IP option (UDP port 29281).
    7. (
      Optional
      ) Modify the
      Threshold
      for
      HA2 Keep-alive
      packets. By default,
      HA2 Keep-alive
      is enabled for monitoring the HA2 data link between the peers. If a failure occurs and this threshold (default is 10000 ms) is exceeded, the defined action will occur. A critical system log message is generated when an HA2 keep-alive failure occurs.
      You can configure the
      HA2 keep-alive
      option on both devices, or just one device in the HA pair. If you enable this option on one device, only that device will send the keep-alive messages.
  6. After your finish configuring HA on both firewalls, verify that the firewalls are paired in active/passive HA.
    1. Access the
      Dashboard
      on both firewalls and view the High Availability widget.
    2. On the active HA peer, click
      Sync to peer
      .
    3. Confirm that the firewalls are paired and synced.
      • On the passive firewall: the state of the local firewall should display
        Passive
        and the
        Running Config
        should show as Synchronized.
      • On the active firewall: the state of the local firewall should display
        Active
        and the
        Running Config
        should show as Synchronized.
    4. From the firewall command line interface, execute the following commands:
      • To verify failover readiness:
        show plugins vm_series aws ha state
      • To show secondary IP mapping:
        show plugins vm_series aws ha ips

Recommended For You