It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda CloudGen Firewall

This Firmware Version Is End-Of-Support

Documentation for this product is no longer updated. Please see End-of-Support for CloudGen Firewall Firmware for further information on our EoS policy.

How to set Control Centers into a Master-to-Slave Relation

  • Last updated on

Synchronizing a master CC with one or more slave CCs requires an exchange of public keys from slave and master, and to copy the node information from the node property window on the slave CC to the master CC. In the following example, first all required slave CCs are configured on the master. After this, the node information is copied from a slave to the master.

In case there are multiple administrators responsible for managing master and slave CC independently, and to avoid any unexpected damage to their CC configuration, it is recommended that these administrators elaborate a common plan for synchronizing prior to setting up synchronizing configurations between their respective Control Centers.

Before You Begin

All Control Centers must be running firmware 7.2.2 or higher.

Configure Identity Information between the Slave CCs and the Master CC

Perform the following steps for all slave CCs that you want to import on your master CC.

Step 1. Get the Private Key Information from the Slave CC
  1. Log into your Control Center that will serve as a slave CC.
  2. Go to CONFIGURATION > Configuration Tree > Multi Range > Global Settings > CC Identity.
  3. In the left menu, click Trust Chain.
  4. In the Trust Chain Configuration section, click Ex/Import for CC Private Key.
  5. From the list, click Export Public to Clipboard:
    export_cc_public_key_on_slave_cc.png
Step 2. Configure the Identity of the Slave CC on the Master CC
  1. Log into your Control Center that will serve as your master CC.
  2. Go to CONFIGURATION > Configuration Tree > CC Parameters.
  3. In the left menu, click Switch to Advanced view.
  4. In the left menu, click Split Control Center.
  5. Configure the CC to work as a master:
    1. Note Type – Select Master.
    2. Slave Control Centers – Click + to configure a new slave CC with its synchronisztion nodes.
    3. The Slave Control Centers window displays.
    4. Enter a name for the Control Center.
    5. Click OK.
    6. Enter the IP address for Slave Control Center IP.
    7. Click Ex/Import for Slave Public Key.
    8. From the list, select Import from Clipboard:
      import_public_key_on_master.png
    9. Click OK.
    10. Click Send Changes.
    11. Click Activate.
Step 3. Get the Private Key Information from the Master CC
  1. Go to CONFIGURATION > Configuration Tree > Multi Range > Global Settings > CC Identity.
  2. In the left menu, click Trust Chain.
  3. In the Trust Chain Configuration section, click Ex/Import for CC Private Key.
  4. From the list, click Export Public to Clipboard:
    export_cc_public_key_on_master_cc.png
Step 4. Configure the Identity of the Master CC on the Slave CC
  1. Log back into your Control Center that will serve as your slave CC.
  2. Go to CONFIGURATION > Configuration Tree > CC Parameters.
  3. For Node Type, select Slave.
  4. In the left menu, click Switch to Advanced view.
  5. In the left menu, click Split Control Center.
  6. For Master CC Public Key, click Ex/Import.
  7. Click Import from Clipboard:
    import_public_key_on_slave.png
  8. Click Send Changes.
  9. Click Activate.

Allow Traffic from the Master CC to the related Slave CC

For a proper communication between the Master and Slave CC, a firewall rule must be created on the Slave CC. This firewall rule must allow traffic from the Master CC to the Slave CC with the following options:

  • Go to CONFIGURATION > Configuration Tree > Virtual Servers > your virtual server > Assigned Services > NGFW (Firewall) > Forwarding Rules.
  • Click Lock.
  • Click + to add an access rule.
  • For the access rule type, select Pass.
  • Enter a name for the access rule.
  • Source – IP address from the Master CC
  • Services
    • NGF-MGMT-STATUS: service port UDP 801
    • NGF-MGMT-CONF: service port TCP 809
  • Destination – IP address from the local Slave CC
  • Connection Method – Dynamic NAT

Configure the Synchronization Nodes

The following example assumes that a user wants to synchronize the Administrative Roles node.

Repeat the following steps for all paths of each slave CC that you want to synchronize with the master CC.

Step 1. Get the Node Information from the Slave CC
  1. Log into your slave CC.
  2. Go to CONFIGURATION > Configuration Tree > Multi Range > Global Settings.
  3. Right-click Administrative Roles in the Control Center configuration tree.
  4. From the list, select the Properties node.
  5. The Node Properties window opens.
  6. Locate the line that holds Configuration Node Path.
  7. Using your cursor, highlight the string in the Configuration Node Path field:
    copy_node_from_porperties.png
  8. Right-click the marked string.
  9. A small menu displays.
  10. From the list, select Copy:
    copy_node_info.png
Step 2. Configure the Node Information of the Slave CC on the Master CC
  1. Log into your Control Center that will serve as your master CC.
  2. Go to CONFIGURATION > Configuration Tree > CC Parameters.
  3. In the left menu, click Switch to Advanced view.
  4. In the left menu, click Split Control Center.
  5. From the list of Slave Control Centers, double-click the slave CC you want to configure the synchronization node for.
  6. For Synced Configuration Nodes, click + to add a new configuration node.
  7. The Synced Configuration Nodes window displays.
  8. Right-click into the edit field for Source Node Path.
  9. From the list, select Paste.
  10. In the edit field for Source Node Path, delete everything beginning with the last '/' to the end of the string, for example, '/roles'. The edit-field now displays the string '0settings'.
  11. Right-click into the edit field for Source Node Name.
  12. From the list, select Paste.
  13. From the string in the edit field—for example, 0setting/rolesdelete everything from the beginning up to the last '/', for example, 0settings/. The edit-field now displays the string 'roles':
    slave_sync_node_added.png
  14. Click OK.
  15. Click Send Changes.
  16. Click Activate.

Your master CC is now configured to synchronize the node 'Administrator Roles' with the slave CC of your choice. If you make any changes on the master CC to one of the configured synchronization paths, this path is automatically pushed to the CC if it is reachable and if the sync node is not locked on the slave CC.

Create an Access Rule on Both Control Centers

In order that the master and slave CC can communicate to each other, you must create an access rule on the host firewall for port 810 UDP. Execute the following steps on both the master and slave CC.

  1. Log into your CC on box level.
  2. Go to CONFIGURATION > Configuration Tree > Box > Infrastructure Service > Host Firewall.
  3. At the top of the list, ensure that Inbound is selected.
  4. Click + to add a new access rule.
  5. The Edit Rule window opens.
  6. For the action type, select Pass.
  7. For the name of the access rule, enter MGMT-ACCESS-SLAVE-CC.
  8. For Source, enter the network address where the other Control Center is in.
  9. For Service, select <explicit> from the list.
  10. Double-click the first line in the service list.
  11. The Edit/Create Service Object window opens.
  12. Click on New Object... .
  13. The Service Entry Parameters window opens.
  14. For IP Protocol, select 017 UDP.
  15. For Port Range, enter 810.
  16. Click OK.
  17. For Destination, enter the box level IP address of your current Control Center.
  18. For Connection Method, select <explicit-conn> and Original Source IP
  19. Click OK.
  20. Click Send Changes.
  21. Click Activate.
    master_cc_to_slave_cc_access_rule.png

Status Map on Master CC and Slave CC

On a master CC, you can see in the status map information about configured slave CCs. The column Slave CC lists all slave CCs synched from the master CC. In the horizontal line, the status map displays the name of the slave Control Center:

status_map_master_CC.png

Because a slave CC is only passively listening on sync commands sent by its master CC, no information is available in the status map:

status_map_slave_CC.png