Migrate Active/Passive HA on AWS to Secondary IP Mode

Learn more about migrating between to secondary-IP from interface-move mode on the VM-Series firewall on AWS.
Complete the following procedure to migrate your existing VM-Series firewall HA pair from interface-move HA to secondary-IP HA.
Secondary IP Move HA requires VM-Series plugin 2.0.1 or later.
  1. Upgrade the VM-Series Plugin on the passive HA peer and then the active peer.
  2. Create secondary IP address for all data interfaces on the active peer.
    1. Log in to the AWS EC2 console.
    2. Select
      Network Interface
      and then choose then select your network interface.
    3. Select
      Actions
      Manage IP Addresses
      IPv4 Addresses
      Assign new IP
      .
    4. Leave the field blank to allow AWS to assign an IP address dynamically or enter an IP address within the subnet range for the VM-Series firewall.
    5. Click
      Yes
      and
      Update
      .
  3. Associate a secondary Elastic (public) IP address with the untrust interface of the active peer.
    1. Log in to the AWS EC2 console.
    2. Select
      Elastic IPs
      and then choose then select the Elastic IP address to associate.
    3. Select
      Actions
      Associate Elastic IP
      .
    4. Under
      Resource Type
      , select
      Network Interface
      .
    5. Chose the network interface with which to associate the Elastic IP address.
    6. Click
      Associate
      .
  4. Create a route table pointing the subnet containing the trust interface.
    1. Select
      Route Tables
      Create route table
      .
    2. (
      Optional
      ) Enter a descriptive
      Name tag
      for your route table.
    3. Select your
      VPC
      .
    4. Click
      Create
      .
    5. Select
      Subnet Associations
      Edit subnet associations
      .
    6. Select the
      Associate
      checkbox for the subnet containing the trust interface.
    7. Click
      Save
      .
  5. Update the IAM roles with additional actions and permissions required to migrate to secondary IP move HA.
    IAM Action, Permission, or Resource
    Description
    AssociateAddress
    For permissions to move public IP addresses associated with the primary IP addresses from the passive to active interfaces.
    AssignPrivateIpAddresses
    For permissions to move secondary IP addresses and associated public IP addresses from the passive to active interfaces.
    UnassignPrivateIpAddress
    For permissions to unassign secondary IP addresses and associated public IP addresses from interfaces on the active peer.
    DescribeRouteTables
    For permission to retrieve all route tables associated to the VM-Series firewall instances.
    ReplaceRoute
    For permission to update the AWS route table entries.
    GetPolicyVersion
    For permission to retrieve AWS policy version information.
    GetPolicy
    For permission to retrieve AWS policy information.
    ListAttachedRolePolicies
    For permission to retrieve the list of all managed policies attached to a specified IAM role.
    ListRolePolicies
    For permission to retrieve a list of the names of inline policies embedded in a specified IAM role.
    GetRolePolicy
    For permission to retrieve a specified inline policy embedded in a specified IAM role.
    policy
    For permission to access the IAM policy Amazon Resource Name (ARN).
    role
    For permission to access the IAM roles ARN.
    route-table
    For permission to access the route table ARN.
    Wild card (*)
    In the ARN field use the * as a wild card.
  6. Create new interfaces (ENIs) on the passive firewall in the same subnet as the active firewall data interfaces.
    Do not assign secondary IP addresses to these new interfaces.
    1. Open the Amazon EC2 console.
    2. Select
      Network Interfaces
      Create Network Interfaces
      .
    3. Enter a descriptive
      Name
      for your new interface.
    4. Under
      Subnet
      , select the subnet of the untrust interface of the active firewall.
    5. Under
      Private IP
      , leave the field blank to allow AWS to assign an IP address dynamically or enter an IP address within the subnet range for the untrust interface of the active firewall.
    6. Under
      Security groups
      , select one or more security groups.
    7. Select
      Yes
      and
      Create
      .
    8. Select
      Actions
      Change Source/Dest. Check
      and select
      Disable
      .
    9. Repeat these steps for the subnet of the trust interface of the active firewall.
  7. Attach the new ENIs to the passive firewall instance. You must attach these ENIs to the passive firewall in the correct order because the secondary IP HA method is based on the network interface index assigned by AWS. For example, if eth1/2 on the active firewall is part of subnet A and eth1/3 is part of subnet B, then you must attach the interface that is part of subnet A and the interface that is part of subnet B. In this example, AWS has assigned an index value of 2 to eth1/2 and a value of 3 to eth1/3. This indexing must be maintained for the failover to occur successfully.
    1. To attach the ENIs created above, select the untrust interface your created and click
      Attach
      .
    2. Select the Instance ID of the of the passive firewall and click
      Attach
      .
    3. Repeat these steps for the trust interface.
  8. Log into the passive and set the interfaces to get their IP addresses through DHCP.
    1. Log in to the passive VM-Series firewall web interface.
    2. Select
      Network
      Interfaces
      .
    3. Click on the first data interface.
    4. Select
      IPv4
      .
    5. Select
      DHCP Client
      .
    6. On the untrust interface only, select
      Automatically create default route pointing to default gateway provided by server
      .
    7. Click OK.
    8. Repeat this process for each data interface.
  9. If you have configure any NAT policies on the VM-Series firewall that reference the private IP addresses of the data interfaces, those policies must be updated to reference the newly assigned secondary IP addresses instead.
    1. Access the web interface of the active VM-Series firewall.
    2. Select
      Policies
      NAT
      .
    3. Click on the NAT policy rule to be modified and then
      Translated Packet
      .
    4. Under
      Translated Address
      , click Add and enter the secondary IP address created in AWS.
    5. Delete the primary IP address.
    6. Click
      OK
      .
    7. Repeat these steps as necessary.
    8. Commit
      your changes.
  10. Enable secondary IP HA failover mode.
    1. Access the VM-Series firewall CLI on the active peer.
    2. Execute the following command.
      request plugins vm_series aws ha failover-mode secondary-ip
    3. Commit your changes.
    4. Comfirm your HA mode by executing the following command.
      show plugins vm_series aws ha failover-mode
    5. Repeat this command on the passive peer.
  11. After your finish configuring HA on both firewalls, verify that the firewalls are paired in active/passive HA.
    1. Access the
      Dashboard
      on both firewalls and view the High Availability widget.
    2. On the active HA peer, click
      Sync to peer
      .
    3. Confirm that the firewalls are paired and synced.
      • On the passive firewall: the state of the local firewall should display
        Passive
        and the
        Running Config
        should show as Synchronized.
      • On the active firewall: the state of the local firewall should display
        Active
        and the
        Running Config
        should show as Synchronized.
    4. From the firewall command line interface, execute the following commands:
      • To verify failover readiness:
        show plugins vm_series aws ha state
      • To show secondary IP mapping :
        show plugins vm_series aws ha ips

Recommended For You