|Netscreen - NSRP|
|Firewalls - Netscreen|
|Friday, 04 September 2009 00:00|
There are 3 main types of HA setup, they are,
HA Feature Sets
This allows for you to configure a secondary untrust interface. Of which in the event of failure the secondary link will become active, in order to restore connectivity. You can use either the available serial port or ethernet port for your secondary link, allowing you to connect ADSL Modems or Routers.
The various commands are below,
ns5gt-> exec failover force <- failover manual
To allow the link to stabilize there is a default hold down timer of 30secs. If required you can modify this by using the command,
ns5gt-> set failover hold-down [number of seconds]
SOHO only monitors the link between the Netscreen and the modem or the router. So if there is a problem with the ISP service the Netscreen will not failover.
This allows for Active/Passive setup with configuration synchronization. But does not provide Run-Time Object synchronization (discussed later) or an Active/Active setup.
NSRP is the protocol that allows clustered Netscreens to communicate with each other and allows them to exchange state information. Which in turn allows them to make the required decisions to ensure traffic is still passed in the event of failure.
When NSRP is enabled a VSD (Virtual Security Device) is created, along with the configuration of the physical interfaces being applied to VSI`s Virtual Security Interfaces. Each VSD belongs to a VSD group. In each VSD group, one VSD is nominated as a master VSD. Each VSD will sit on each firewall. Only the master VSD (Active firewall) will pass the traffic. Along with this the IP addresses assigned to a VSI follow the master VSD. With regards to the management IP`s these stay static to each firewall.
At any one time each VSD can be in one of 6 states.
Initial - Occurs when a VSD is first created due to reboot or configuration change. While in this state the VSD learns other devices in the VSD group, syncs the state with other VSD`s, and elections for which VSD should be master.
The Master VSD is determined,
A fail over can be caused by any of the following,
2 types of packets are exchanged over HA Links. These are control messages and data packets.
To check if both devices are in sync run the command,
ns5gt-> clear db
NSRP Track IP
Interface Track IP and VPN monitoring are not included with NSRP. NSRP Tracking allows you to fail across your cluster in the event of IP`s becoming unreachable. Such as a router IP. This allows for failovers in the event of a Netscreen interface or switch port failing.
In the event of failover this would prevent the failed interface from moving to the other VSD.
Real-Time Object mirroring allows dynamic based information to be synchronized between the cluster nodes, such as DHCP leases, VPN sessions etc.
ns5gt-> set nsrp cluster id1
With some insecure protocols you may wish to disable sessions created by a certain policy from being mirrored when dealing with DoS attacks.To change this,
Split Brain is a situation where the HA link fails and in turn both devices believe the other device has failed and then promotes itself to master.
There are 3 methods in which you can prevent this situation from arising,
ns5gt-> adding a secondary path
"No Brain" Situation
In this situation both switches/switch ports fail. Both firewalls may be plugged into the same switch or different switches which may fail due to power failure etc. This causes both firewalls to place themselves into an inoperable state and then backup. Causing both firewalls to be in a backup state.
To ensure that one device is always master you can use the command,
ns5gt-> set nsrp vsd-group master-always-exists
The main issue with this occurs in a situation where both switches/switch ports fail for one network (i.e trust) and then a switch/switch port fails on the active node. In this case the cluster will not fail across to the secondary node even though it is the best candiate for master.
- Incapsula (Review) - How to Protect and Secure your website in 10 minutes
- Window wont show when using Cisco VPN Client 5.x / Windows 7
- How to Fix Unreadable Directory Listings within the Shell
- Python - List Comprehensions
- Python - What does 'if __name__ == "__main__"' mean ?
- Python - Decorators
- BIGIP F5 LTM - Action on Service Down
- Brocade ADX - How do I bind multiple ports to a single healthcheck ?
- MySQL - How to reset a forgotten Root password
- Django - How can I pass a string from a URL to a view ?
- Vyatta - Unable to log into GUI : "Username or password is incorrect"
- Cisco ASA - How do VPN Filters work ?
- How do I use AJAX along side Django ?
- Outlook 2010 - The 'Delete Conversation' Shortcut
- How do I import a python module from another folder ?
- How do I configure Django to serve my Robots.txt file ?
- Brocade ADX - The Dynamic Weighted Predictor
- How to serve multiple domains from within a single Django project
- Vyatta - How do I secure management access ?
- Vyatta - How to configure an IPSEC site to site VPN
- Proxy ARP – SPLAT
- Check Point Commands
- IPSO - Commands
- ASA 8.3 - Auto NAT Examples
- vSphere - Creating User and Group Permissions
- Configuring Wireless Connectivity within Backtrack 4 r2
- Juniper Netscreen Commands
- Configuring Windows 2008 R2 as an NTP Server
- How to set the Time / Date and Timezone in CentOS
- PEMU - Free Cisco PIX Firewall Emulator / Simulator
- Juniper Netscreen - NAT Explained
- How do I install snmpwalk / snmpget using Yum ?
- Troubleshooting a Netscreen Site 2 Site VPN
- Netscreen - NSRP
- Check Point Logging Troubleshooting Guide
- How do I configure IPv6 in Windows XP ?
- Check Point - How to Reset SIC
- Endpoint Connect Installation / Troubleshooting Guide
- VI shows the error Terminal too wide within Solaris
- ESX Convertor - The session is not authenticated