Single module to cluster

[Testing-123]

Hello All,

I'm upgrading from a single firewall solution to a cluster due to resiliency requirements. I'm comfortable with creating a cluster in FW-1 and enabling cpha on the primary firewall but was looking at ways in which i could minimise downtime.

Anyone have any advice from previous experience?

The firewalls will be running NGX R60 and as a VRRP cluster (active-passive). I would ideally like to use the physical ip addresses assigned to the existing firewall as VIP addresses and introduce a secondary so that routing tables on devices connecting through the firewall do not have to be changes.

Regards
Testing-123

[cciesec2006]

In the lab:

1- build the secondary firewall with VRRP and use the physical IP address
of the primary fireall as VRRP but remove this firewall from the network
so that you do not have IP conflict.

2- install the latest HFA on the secondary firewall. Make sure you have
the ip address in place,

3- perform fw unloadlocal,

4- perform SIC with the secondary from the SmartCenter, create gateway
cluster and so forth,

5- push policy to the firewall cluster from the SmartCenter,

6- bring everything down,

7- bring up the SmartCenter and the Secondary nokia into your
production network, but have the switchport shutdown for these
devices,

8- shutdown the primary firewall,

9- enable the switchports for the secondary Nokia and the SmartCenter.
Clear the CAM table on the layer-2 switch and clear arp on the
upstream router,

10- At this point, traffics should flow normal,

11- rebuild the primary nokia and put it into the cluster,

12- push policy to the cluster again,

12- if everything goes accordingly, you should be down no more
than 30 seconds, depending on how fast your are with step 8 and step 9,

I used to do this all the time when I work as an engineer for an MSSP,
we managed nothing but Nokia devices with Provider-1,


Enjoy!!!!!