We use cookies on our website to ensure we provide you with the best experience on our website. By using our website, you agree to the use of cookies for analytics and personalized content.This website uses cookies. More Information
It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda CloudGen Firewall

Attention

Barracuda CloudGen Firewall version 8.0 is a cloud-only version. It is currently not available for on-premises deployments and can only be deployed in Microsoft Azure, Amazon Web Services, or Google Cloud Platform public clouds.

How to Configure High Availability CC-Managed CloudGen Firewalls for Virtual Routing Using a Repository Entry

  • Last updated on

When configuring VRF for two CC-managed firewalls, the box level configuration for both firewalls must be identical, except for the NetworkBox Properties, and Licensing pages. Furthermore, both the names of all virtual router instances and the VR Instance IDs must match each other on both firewalls.

If the names of all virtual router instances and the VR Instance IDs do not match each other on both HA boxes, a failover to the secondary firewall will not work!

Before You Begin

Verify that two firewalls are configured to be controlled by the Control Center for operating in high availability mode. For more information, see How to Configure a High Availability Cluster for Managed CloudGen Firewalls.

Verify that your primary firewall is configured for running at least one virtual router instance. For more information, see How to Configure and Activate a Virtual Router Instance with Hardware, Virtual, VLAN, or Bundled Interfaces.

The following example assumes that there is already one virtual router instance configured on the primary firewall that serves as the basis for managing the VRF configuration for both HA partners using a repository entry. The name of the VR Instance is VR01, the ID = 1. In case there are multiple virtual router instances configured, you must execute the following steps for each additional virtual router instance. In this setup the firewall service will be transparent to the additional virtual router instance only if authenticated users are not defined. All other services are not available to the additional virtual router. For more information on which services are available for additional virtual instances, see Virtual Routing and Forwarding (VRF).

vrf_base_for_HA_via_repo.png

Step 1. Create a Cluster Repository

Execute this step only if a cluster repository is missing!
  1. Right-click CONFIGURATION > Configuration Tree > Multi Range > your range > your cluster .
  2. From the list, select Create Repository.
  3. Click + to expand the Cluster Repository node.
  4. Click + to expand the Box node.
  5. Click Activate.
  6. The Activate Changes window is displayed.
  7. Click Activate.

Step 2. Create a Network Node in the Repository

Execute this step only if a network node has not been added yet according to this description!

Because there is already a VR instance running on the primary firewall, the configuration will serve as a template to create a repository node.

  1. Right-click CONFIGURATION > Configuration Tree > Multi Range > your range > your cluster > Boxes > your primary HA box > Network.
  2. From the list, select Lock.
  3. Right-click CONFIGURATION > Configuration Tree > Multi Range > your range > your cluster > Boxes > your primary HA box > Network.
  4. From the list, select Copy to Cluster Repository....
    vrf_repo_create_network_node.png
  5. The Select Object window is displayed
  6. Enter a name for the new repository object, e.g., NetworkHA.
  7. Click OK.
  8. Click Activate.
  9. The Activate Changes window is displayed.
  10. Click Activate.
    vrf_repo_network_node_created.png

Step 3. Create a Virtual Router Instance Node in the Repository

A clean VR instance template is required for configuring the VR instance that will feed both HA partners with network configuration information.

  1. Right-click Cluster Repository > Network.
  2. From the list select Lock.
  3. Right-click Cluster Repository > Network.
  4. In the list, select Create VR Instance.
  5. The Create a new VR Instance window is displayed.
  6. Enter the same name for the new repository entry as for your VR instance on your primary box, e.g. VR01.
  7. Click OK.
  8. Click Activate.
  9. The Activate Changes window is displayed.
  10. Click Activate.
    vrf_repo_vr_instance_node_created_in_repo.png

Step 4. Copy VR Instance Data from the Primary Box to the VR Instance Cluster Node

The configuration of the VR instance on the primary firewall is the basis for the repository entry that must be identical for both HA partners. The interface and routing configuration must be transferred to the VR instance node in the repository.

  1. Go to CONFIGURATION > Configuration Tree > Multi Range > your range > your cluster > Boxes > your primary HA box > Network > VR Instance [ your virtual router instance ].
  2. The VR Instance configuration of the primary box is displayed.
  3. Click Lock.
  4. Go to CONFIGURATION > Configuration Tree > Multi Range > your range > your cluster > Cluster Repository > Box > Network > VR Instance [ your virtual router instance ].
  5. The recently created VR Instance entry is displayed.
  6. Click Lock.
    vrf_vr_instance_ready_to_be_copied.png
  7. In the ribbon bar, click VR Instance[ your virtual router instance ].
  8. In the left menu, click IP Configuration.
  9. The Configure IP Addresses window is displayed.
  10. Click the clipboard icon followed by a click on Copy to Clipboard.
    vrf_copy_instance_data_to_clipboard.png
  11. In the ribbon bar, click VR Instance[ your virtual router instance ] - your cluster .
  12. In the left menu, select IP Configuration.
  13. The Configure IP Addresses window is displayed.
  14. Click the clipboard icon followed by a click on Replace With Clipboard.
    vrf_paste_instance_data_from_clipboard.png
  15. In the ribbon bar, click VR Instance[ your virtual router instance ].
  16. In the left menu, click Routing.
  17. The Configure IP Addresses window is displayed.
  18. Click the clipboard icon followed by a click on Copy to Clipboard.
  19. In the ribbon bar, click VR Instance[ your virtual router instance ] - your cluster .
  20. In the left menu, select Routing.
  21. The Configure IP Addresses window is displayed.
  22. Click the clipboard icon followed by a click on Replace With Clipboard.
  23. Click Send Changes.
  24. Click Activate.

Step 5. Create a VR Instance Node for the Secondary Box

  1. Go to CONFIGURATION > Configuration Tree > Multi Range > your range > your cluster > Boxes > your secondary HA box .
  2. Right-click Network.
  3. From the list, select Create VR Instance.
  4. The Create a new VR Instance window is displayed.
  5. Enter the same name for the virtual instance as already configured for your primary box, e.g., VR01
  6. Click OK.
  7. Click Activate.
  8. The Activate Changes window is displayed.
  9. Click Activate.
    vrf_vr_instance_created_on_secondary_box.png

Step 6. Link the Common Network Repository Nodes to Both HA Partners

Execute this step only if the repository network node has not been linked yet according to this description!
  1. Right-click CONFIGURATION > Configuration Tree > Multi Range > your range > your cluster > Boxes > your primary HA box > Network.
  2. From the list, select Lock.
  3. Right-click CONFIGURATION > Configuration Tree > Multi Range > your range > your cluster > Boxes > your primary HA box > Network.
  4. From the list, select Link Override from Cluster Repository.
  5. The Select Object window is displayed.
  6. In the tree inside of the window, select the network node that you created in your repository before, e.g., NetworkHA.
  7. Click OK.
    vrf_link_override_for_primary.png
  8. Right-click CONFIGURATION > Configuration Tree > Multi Range > your range > your cluster > Boxes > your secondary HA box > Network.
  9. Click Lock.
  10. Right-click CONFIGURATION > Configuration Tree > Multi Range > your range > your cluster > Boxes > your secondary HA box > Network .
  11. From the list, select Link Override from Cluster Repository.
  12. The Select Object window is displayed.
  13. In the tree inside of the window, select the network node that you created in your repository before, e.g., NetworkHA.
  14. Double-click the link to the repository your just created.
  15. For the Management IP (MIP), click the clipboard icon to the right of the edit field and select Override Entry.
    vrf_override_repo_entry.png
  16. Enter the original Management IP (MIP) of the secondary box into the edit field.
  17. Click Send Changes.
  18. Click Activate.
  19. The Activate Changes window is displayed.
  20. Click Activate.

Step 7. Re-activate the New Network Configuration on Your Secondary HA Firewall

  1. Log into your secondary HA firewall.
  2. Go to CONTROL > Box.
  3. In the left menu bar, expand Network.
  4. Click Activate new network configuration.
  5. The Network Activation windows is displayed.
  6. Click Failsafe.

Step 8. Link the VR Instance Node from the Repository to the Corresponding Nodes for Both Firewalls

  1. Right-click CONFIGURATION > Configuration Tree > Multi Range > your range > your cluster > Boxes > your primary HA box > Network > VR Instance [ your virtual router instance ].
  2. Select Lock.
  3. Right-click CONFIGURATION > Configuration Tree > Multi Range > your range > your cluster > Boxes > your primary HA box > Network > VR Instance [ your virtual router instance ].
  4. In the list, click Link From Cluster Repository.
  5. The Select Object window is displayed.
  6. In the tree inside of the window, select the VR Instance [ your virtual instance ] that you created in your repository before.
  7. Right-click CONFIGURATION > Configuration Tree > Multi Range > your range > your cluster > Boxes > your secondary HA box > Network > VR Instance [ your virtual router instance ].
  8. Select Lock.
  9. Right-click CONFIGURATION > Configuration Tree > Multi Range > your range > your cluster > Boxes > your secondary HA box > Network > VR Instance [ your virtual router instance ].
  10. In the list, click Link From Cluster Repository.
  11. The Select Object window is displayed.
  12. In the tree inside of the window, select the VR Instance [ your virtual instance ] that you created in your repository before.
  13. Click Activate.
  14. The Activate Changes window is displayed.
  15. Click Activate.
    vrf_repo_setup_complete.png
Last updated on