Configure Active/Passive HA on OCI

You can configure a pair of VM-Series firewalls on OCI in an active/passive high availability (HA) configuration. To ensure uptime in an HA setup on OCI, you must create a secondary, floating IP addresses that can quickly move from one peer to the other. When the active firewall goes down, the floating IP address moves from the active to the passive firewall so that the passive firewall can seamlessly secure traffic as soon as it becomes the active peer. In addition to the floating IP address, the HA peers also need HA links—a control link (HA1) and a data link (HA2)—to synchronize data and maintain state information.
oci-ha-deployment.png
To allow the firewalls to move the floating IP address upon failover, you must place the firewall instances in a dynamic group on OCI. Dynamic groups allow you to group the firewall instances as principal actors and create policy to allow the instances in the dynamic group to make API calls against OCI services. You will use matching rules to add the HA peer instances to the dynamic group and then create the policy the floating IP from one VNIC to another.
Both VM-Series firewalls in the HA pair must have the same number of network interfaces. Each firewall requires a minimum of four interfaces—management, untrust, trust, and HA. You can configure additional data interfaces as required by your deployment.
  • Management interface
    —the private and public IP addresses associated with the primary interface. You can use the private IP address on the management interface as the IP address for the HA1 interface between the peers. If you want a dedicated HA interface, you must attach an additional interface to each firewall, for a total of five interfaces each.
  • Untrust
    and
    trust interfaces
    —each of these data interfaces on the active HA peer require a primary and secondary IP address. Upon failover, when the passive HA peer transitions to the active state, the secondary private IP address is detached from the previously active peer and attached to the now active HA peer.
  • HA2 interface
    —this interface has a single private IP address on each HA peer. The HA2 interface is the data link peers use to synchronize sessions, forwarding tables, IPsec security associations, and ARP tables.
  1. Deploy the VM-Series Firewall From the Oracle Cloud Marketplace and set up the network interfaces for HA.
    1. (
      Optional
      ) Configure a dedicated HA1 interface on each HA peer.
      1. From the OCI Console, select
        Compute
        Instances
        and click on the name of your active peer instance.
      2. Select
        Attached VNICs
        and click
        Create VNIC
        .
      3. Enter a descriptive name for your HA1 interface.
      4. Select the VCN and subnet.
      5. Enter a private IP address.
      6. Click
        Create VNIC
        .
      7. Repeat this process on your passive peer instance.
    2. Configure an HA2 interface on each HA peer.
      1. From the OCI Console, select
        Compute
        Instances
        and click on the name of your active peer instance.
      2. Select
        Attached VNICs
        and click
        Create VNIC
        .
      3. Enter a descriptive name for your HA2 interface.
      4. Select the VCN and subnet. The HA2 interface should be on a separate subnet from your data interfaces.
      5. Enter a private IP address.
      6. Click
        Create VNIC
        .
      7. Repeat this process on your passive peer instance.
    3. Add a secondary IP address to your dataplane interfaces on the active peer.
      1. From the OCI Console, select
        Compute
        Instances
        and click on the name of your active peer instance.
      2. Select
        Attached VNICs
        and click on your untrust VNIC.
      3. Select
        IP Addresses
        and click
        Assign Private IP Address
        .
      4. Enter the IP address and click
        Assign
        .
      5. Repeat this procedure for each dataplane interface on your active peer.
  2. Create security rules to allow the HA peers to synchronize data and maintain state information. By default, OCI allows ICMP traffic only. You must open the necessary HA ports.
    1. Open the ports for your HA1 interface.
      1. From the OCI Console, select
        Networking
        Virtual Cloud Networks
        and select your VCN.
      2. Select
        Subnets
        and select the subnet containing your HA1 interface.
      3. Select
        Security Lists
        and click the default security list to edit it.
      4. Click
        Add Ingress Rule
        .
      5. Enter the
        Source CIDR
        that includes the HA peer HA1 port IP address.
      6. Select
        TCP
        from the
        IP Protocol
        drop-down.
      7. Click
        +Additional Ingress Rule
        . You need to create two additional rules for TCP ports 28260 and 28769.
      8. If encryption is enabled on your VM-Series firewall for the HA1 link, create an additional rules for ICMP and TCP port 28.
      9. Click
        Add Ingress Rules
        .
      oci-add-ha-ingress-rule.png
    2. Open the ports for your HA2 interface.
      1. From the OCI Console, select
        Networking
        Virtual Cloud Networks
        and select your VCN.
      2. Select
        Subnets
        and select the subnet containing your HA2 interface.
      3. Select
        Security Lists
        and click the default security list to edit it.
      4. Click
        Add Ingress Rule
        .
      5. Enter the
        Source CIDR
        that includes the HA peer HA2 port IP address.
      6. Select
        UDP
        or
        IP
        from the
        IP Protocol
        drop-down.
      7. If the transport mode is UDP, enter
        29281
        into
        Source Port Name
        . If the transport mode is IP, enter
        99
        into
        Source Port Name
        .
      8. Click
        Add Ingress Rules
        .
      oci-add-ha-ingress-rule-udp.png
  3. Add both HA peers to a dynamic group and create policy that allows the HA peers to move the floating IP address. You must have the OCID of each HA peer instance to build the dynamic group matching rules, so have those on hand to past into the rule builder.
    1. Create the dynamic group.
      1. From the OCI Console, select
        Identity
        Dynamic Groups
        Create Dynamic Group
        .
      2. Enter a descriptive
        Name
        for your dynamic group.
      3. Click
        Rule Builder
        .
      4. Select
        Any of the following rules
        from the first drop-down.
      5. Select
        Match instances with ID:
        from the
        Attributes
        drop-down and paste one of the peer OCIDs into the
        Value
        field.
      6. Click
        +Additional Line
        .
      7. Select
        Match instances with ID:
        from the
        Attributes
        drop-down and paste the other peer OCID into the
        Value
        field.
      8. Click
        Add Rule
        .
        oci-create-matching-rule.png
      9. Click
        Create Dynamic Group
        .
    2. Create the policy rule.
      1. From the OCI Console, select
        Identity
        Policies
        Create Policy
        .
      2. Enter a descriptive
        Name
        for your policy.
      3. Enter the first policy statement.
        Allow dynamic-group <
        dynamic_group_name
        > to use virtual-network-family in compartment <
        compartment_name
        >
      4. Click
        +Another Statement
        .
      5. Enter the second policy statement.
        Allow dynamic-group <
        dynamic_group_name
        > to use instance-family in compartment <
        compartment_name
        >
      6. Click
        Create
        .
        oci-create-ha-policy.png
  4. Configure the interfaces on the firewall. You must configure the HA2 data link and at least two Layer 3 interfaces for your untrust and trust interfaces. Complete this workflow on the first HA peer and then repeat the steps on the second HA peer.
    1. Log in to the firewall web interface.
    2. (
      Optional
      ) If you are using the management interface as HA1, you must set the interface IP Type to static and configure a DNS server.
      1. Select
        Device
        Setup
        Interfaces
        Management
        .
      2. Set the
        IP Type
        to
        Static
        .
      3. Enter the private
        IP address
        of the primary VNIC of your VM-Series firewall instance.
      4. Click
        OK
        .
      5. Select
        Device
        Setup
        Services
        .
      6. Click
        Edit
        .
      7. Enter the IP address of the
        Primary DNS Server
        .
      8. Click
        OK
        .
      9. Commit
        your changes.
    3. Select
      Network
      Interfaces
      Ethernet
      and click on your untrust interface. In this example, the HA2 interface is 1/1, the trust interface is ethernet 1/2, and the untrust interface is ethernet 1/3.
    4. Click the link for
      ethernet 1/1
      and configure as follows:
      • Interface Type
        :
        HA
    5. Click the link for
      ethernet 1/2
      and configure as follows:
      • Interface Type
        :
        Layer3
      • On the
        Config
        tab, assign the interface to the default router.
      • On the
        Config
        tab, expand the
        Security Zone
        drop-down and select
        New Zone
        . Define a new zone, for example trust-zone, and then click
        OK
        .
      • On the
        IPv4
        tab, select either
        Static
        .
      • Click
        Add
        in the IP section and enter the primary IP address and network mask for the interface. Make sure that the IP address matches the IP address that you assigned to the corresponding subnet in VCN. For example, if you add this interface to your trust zone, make sure you assign the trust vNIC IP address configured in your VCN.
      • Click
        Add
        in the IP section and enter the secondary, floating IP address and network mask.
    6. Click the link for
      ethernet 1/3
      and configure as follows:
      • Interface Type
        :
        Layer3
      • On the
        Config
        tab, assign the interface to the default router.
      • On the
        Config
        tab, expand the
        Security Zone
        drop-down and select
        New Zone
        . Define a new zone, for example untrust-zone, and then click
        OK
        .
      • On the
        IPv4
        tab, select either
        Static
        .
      • Click
        Add
        in the IP section and enter the primary IP address and network mask for the interface. Make sure that the IP address matches the IP address that you assigned to the corresponding subnet in VCN. For example, if you add this interface to your untrust zone, make sure you assign the untrust vNIC IP address configured in your VCN.
      • Click
        Add
        in the IP section and enter the secondary, floating IP address and network mask.
  5. Enable HA.
    1. Select
      Device
      High Availability
      General
      .
    2. Edit the Setup settings.
    3. Enter the private IP address of the passive peer in the
      Peer HA1 IP address field
      .
    4. Click
      OK
      .
      oci-ha-setup.png
    5. (
      Optional
      ) Edit the Control Link (HA1). If you do not plan to use the management interface for the control link and have added an additional interface (for example ethernet 1/4), edit this section to select the interface to use for HA1 communication.
    6. Edit the Data Link (HA2) to use
      Port
      ethernet 1/1 and add the IP address of active peer and the
      Gateway
      IP address for the subnet.
    7. Select
      IP
      or
      UDP
      from the Transport drop-down. Ethernet is not supported.
      oci-config-ha2.png
    8. Click
      OK
      .
  6. Commit
    your changes.
  7. Repeat step 4 and step 5 on the passive HA peer.
  8. After your finish configuring HA on both firewalls, verify that the firewalls are paired in active/passive HA.
    1. Access the
      Dashboard
      on both firewalls and view the High Availability widget.
    2. On the active HA peer, click
      Sync to peer
      .
    3. Confirm that the firewalls are paired and synced.
      • On the passive firewall: the state of the local firewall should display
        Passive
        and the
        Running Config
        should show as Synchronized.
      • On the active firewall: the state of the local firewall should display
        Active
        and the
        Running Config
        should show as Synchronized.

Recommended For You