When configuring VRF for two CC-managed firewalls, the box level configuration for both firewalls must be identical, except for the Network, Box Properties, and Licensing pages. Furthermore, both the names of all virtual router instances and the VR Instance IDs must match each other on both firewalls.
Before You Begin
Verify that two firewalls are configured to be controlled by the Control Center for operating in high availability mode. For more information, see How to Configure a High Availability Cluster for Managed CloudGen Firewalls.
Verify that your primary firewall is configured for running at least one virtual router instance. For more information, see How to Configure and Activate a Virtual Router Instance with Hardware, Virtual, VLAN, or Bundled Interfaces.
The following example assumes that there is already one virtual router instance configured on the primary firewall that serves as the basis for managing the VRF configuration for both HA partners using a repository entry. The name of the VR Instance is VR01, the ID = 1. In case there are multiple virtual router instances configured, you must execute the following steps for each additional virtual router instance. In this setup the firewall service will be transparent to the additional virtual router instance only if authenticated users are not defined. All other services are not available to the additional virtual router. For more information on which services are available for additional virtual instances, see Virtual Routing and Forwarding (VRF).
Step 1. Create a Cluster Repository
- Right-click CONFIGURATION > Configuration Tree > Multi Range > your range > your cluster .
- From the list, select Create Repository.
- Click + to expand the Cluster Repository node.
- Click + to expand the Box node.
- Click Activate.
- The Activate Changes window is displayed.
- Click Activate.
Step 2. Create a Network Node in the Repository
Because there is already a VR instance running on the primary firewall, the configuration will serve as a template to create a repository node.
- Right-click CONFIGURATION > Configuration Tree > Multi Range > your range > your cluster > Boxes > your primary HA box > Network.
- From the list, select Lock.
- Right-click CONFIGURATION > Configuration Tree > Multi Range > your range > your cluster > Boxes > your primary HA box > Network.
- From the list, select Copy to Cluster Repository....
- The Select Object window is displayed
- Enter a name for the new repository object, e.g., NetworkHA.
- Click OK.
- Click Activate.
- The Activate Changes window is displayed.
- Click Activate.
Step 3. Create a Virtual Router Instance Node in the Repository
A clean VR instance template is required for configuring the VR instance that will feed both HA partners with network configuration information.
- Right-click Cluster Repository > Network.
- From the list select Lock.
- Right-click Cluster Repository > Network.
- In the list, select Create VR Instance.
- The Create a new VR Instance window is displayed.
- Enter the same name for the new repository entry as for your VR instance on your primary box, e.g. VR01.
- Click OK.
- Click Activate.
- The Activate Changes window is displayed.
- Click Activate.
Step 4. Copy VR Instance Data from the Primary Box to the VR Instance Cluster Node
The configuration of the VR instance on the primary firewall is the basis for the repository entry that must be identical for both HA partners. The interface and routing configuration must be transferred to the VR instance node in the repository.
- Go to CONFIGURATION > Configuration Tree > Multi Range > your range > your cluster > Boxes > your primary HA box > Network > VR Instance [ your virtual router instance ].
- The VR Instance configuration of the primary box is displayed.
- Click Lock.
- Go to CONFIGURATION > Configuration Tree > Multi Range > your range > your cluster > Cluster Repository > Box > Network > VR Instance [ your virtual router instance ].
- The recently created VR Instance entry is displayed.
- Click Lock.
- In the ribbon bar, click VR Instance[ your virtual router instance ].
- In the left menu, click IP Configuration.
- The Configure IP Addresses window is displayed.
- Click the clipboard icon followed by a click on Copy to Clipboard.
- In the ribbon bar, click VR Instance[ your virtual router instance ] - your cluster .
- In the left menu, select IP Configuration.
- The Configure IP Addresses window is displayed.
- Click the clipboard icon followed by a click on Replace With Clipboard.
- In the ribbon bar, click VR Instance[ your virtual router instance ].
- In the left menu, click Routing.
- The Configure IP Addresses window is displayed.
- Click the clipboard icon followed by a click on Copy to Clipboard.
- In the ribbon bar, click VR Instance[ your virtual router instance ] - your cluster .
- In the left menu, select Routing.
- The Configure IP Addresses window is displayed.
- Click the clipboard icon followed by a click on Replace With Clipboard.
- Click Send Changes.
- Click Activate.
Step 5. Create a VR Instance Node for the Secondary Box
- Go to CONFIGURATION > Configuration Tree > Multi Range > your range > your cluster > Boxes > your secondary HA box .
- Right-click Network.
- From the list, select Create VR Instance.
- The Create a new VR Instance window is displayed.
- Enter the same name for the virtual instance as already configured for your primary box, e.g., VR01
- Click OK.
- Click Activate.
- The Activate Changes window is displayed.
- Click Activate.
Step 6. Link the Common Network Repository Nodes to Both HA Partners
- Right-click CONFIGURATION > Configuration Tree > Multi Range > your range > your cluster > Boxes > your primary HA box > Network.
- From the list, select Lock.
- Right-click CONFIGURATION > Configuration Tree > Multi Range > your range > your cluster > Boxes > your primary HA box > Network.
- From the list, select Link Override from Cluster Repository.
- The Select Object window is displayed.
- In the tree inside of the window, select the network node that you created in your repository before, e.g., NetworkHA.
- Click OK.
- Right-click CONFIGURATION > Configuration Tree > Multi Range > your range > your cluster > Boxes > your secondary HA box > Network.
- Click Lock.
- Right-click CONFIGURATION > Configuration Tree > Multi Range > your range > your cluster > Boxes > your secondary HA box > Network .
- From the list, select Link Override from Cluster Repository.
- The Select Object window is displayed.
- In the tree inside of the window, select the network node that you created in your repository before, e.g., NetworkHA.
- Double-click the link to the repository your just created.
- For the Management IP (MIP), click the clipboard icon to the right of the edit field and select Override Entry.
- Enter the original Management IP (MIP) of the secondary box into the edit field.
- Click Send Changes.
- Click Activate.
- The Activate Changes window is displayed.
- Click Activate.
Step 7. Re-activate the New Network Configuration on Your Secondary HA Firewall
- Log into your secondary HA firewall.
- Go to CONTROL > Box.
- In the left menu bar, expand Network.
- Click Activate new network configuration.
- The Network Activation windows is displayed.
- Click Failsafe.
Step 8. Link the VR Instance Node from the Repository to the Corresponding Nodes for Both Firewalls
- Right-click CONFIGURATION > Configuration Tree > Multi Range > your range > your cluster > Boxes > your primary HA box > Network > VR Instance [ your virtual router instance ].
- Select Lock.
- Right-click CONFIGURATION > Configuration Tree > Multi Range > your range > your cluster > Boxes > your primary HA box > Network > VR Instance [ your virtual router instance ].
- In the list, click Link From Cluster Repository.
- The Select Object window is displayed.
- In the tree inside of the window, select the VR Instance [ your virtual instance ] that you created in your repository before.
- Right-click CONFIGURATION > Configuration Tree > Multi Range > your range > your cluster > Boxes > your secondary HA box > Network > VR Instance [ your virtual router instance ].
- Select Lock.
- Right-click CONFIGURATION > Configuration Tree > Multi Range > your range > your cluster > Boxes > your secondary HA box > Network > VR Instance [ your virtual router instance ].
- In the list, click Link From Cluster Repository.
- The Select Object window is displayed.
- In the tree inside of the window, select the VR Instance [ your virtual instance ] that you created in your repository before.
- Click Activate.
- The Activate Changes window is displayed.
- Click Activate.