test

SunScreen 3.2 Configuration Examples

Chapter 6 Using High Availability (HA)

This chapter provides step by step instructions for setting up SunScreen with High Availability (HA). You can configure SunScreen HA in either Stealth mode or Routing mode with the same level of redundancy. The steps to configure a Screen are nearly identical in either mode. For more details on using the GUI to configure HA, see the SunScreen 3.2 Administration Guide. For background technical information about HA, see the SunScreen 3.2 Administrators Overview.

Note -

When configuring HA in routing mode, the machine designated as the secondary Screen should have it's screening interfaces physically disconnected from the network until after you configure HA on the primary Screen and activate its.

Network Example

Figure 6-1 shows the Boston segment of the network. In this diagram, two stealth-mode Screens, bos-screen1 and bos-screen2, use HA. Figure 6-2 shows a network with two routing-mode Screens in an HA cluster.

Figure 6-1 Stealth Mode HA Cluster

Graphic

Figure 6-2 Routing Mode HA Cluster

Graphic

Setting Up the HA Screens

This section explains how you prepare either stealth-mode or routing-mode Screens to run HA.

Note -

The Screens in an HA cluster must have identical network interfaces. All Screens in the HA cluster must be the same type; either stealth or routing.

Preparing Stealth Mode Screens for HA

The first step when defining an HA cluster is to properly configure the necessary network interfaces and install the SunScreen software.

Prepare the System

  1. Configure the interfaces on the Primary machine.

    1. If it does not already exist, configure the administration interface.

      For bos-screen1 in this example, use the following command: 


      echo "192.168.1.3" > /etc/hostname.le0

    2. If it does not already exist, configure the HA heartbeat interface.

      For bos-screen1 in this example, use the following command:


      # echo "10.0.4.1" > /etc/hostname.le0

    3. Reboot the Primary machine.

  2. Install the SunScreen software on the Primary machine and verify that it is functions properly

    Follow the instructions for the stealth mode example described in Chapter 4, Configuring a Stealth Mode Screen

  3. Prepare a Secondary machine to mirror the configuration of the Primary Screen.

    This machine will be used as the secondary HA Screen. In this example, the second machine is named bos-screen2. The second machine (HA secondary) must be identical to the first machine (HA primary) in the following ways:

    • Solaris configuration

    • hardware (ideally)

    • Interface types

    The only configuration differences between the first and second machines are:

    • /etc/nodename

    • IP address of the administrative interface

    • IP address of the HA interface

  4. Configure the interfaces on the Secondary machine.

    1. If it does not already exist, configure the administration interface.

      For bos-screen2 in this example, use the following command:


      # echo "192.168.1.4" > /etc/hostname.le0

    2. If it does not already exist, configure the HA heartbeat interface.

      For bos-screen2 in this example, use the following command: 


       # echo "10.0.4.2" > /etc/hostname.le0

    3. Reboot the Secondary machine.

Your systems are now prepared to run HA in stealth mode. Continue with the configuration by going to "Configuring the HA Cluster".

Preparing Routing Mode Screens for HA

The first step when defining an HA cluster is to properly configure the necessary network interfaces and install the SunScreen software.

Prepare the System

  1. Configure the interfaces on the Primary machine.

    1. If it does not already exist, configure the HA heartbeat interface.

      For sf-screen1 in this example, use the following command:


      # echo "10.0.5.1" > /etc/hostname.qe2

    2. If they do not already exist, configure the filtering interfaces.

      For sf-screen1 in this example, you would use the following commands to configure the two screening interfaces:


      # echo "10.0.1.100" > /etc/hostname.qe0
      		 

      # echo "192.168.2.2" > /etc/hostname.qe1

    3. Reboot the Primary machine.

  2. Install the Screen software on the Primary machine and verify that it is functions properly.

  3. Prepare a Secondary machine to mirror the configuration of the Primary.

    This machine will be used as the secondary HA Screen. In this example, the second machine is named sf-screen2. The second machine (HA secondary) must be identical to the first machine (HA primary) in the following ways:

    • Solaris configuration

    • hardware (ideally)

    • Interface types

    The only configuration differences between the first and second machines are:

    • /etc/nodename

    • IP address of the administrative interface (if a separate one exists)

    • IP address of the HA interface

  4. Configure the interfaces on the Secondary machine

    1. If it does not already exist, configure the HA heartbeat interface.

      For sf-screen2 in this example, use the following command:


      # echo "10.0.5.2" > /etc/hostname.qe2

    2. If they do not already exist, configure the filtering interfaces.

      For sf-screen2 in this example, you would use the following commands to configure the two filtering interfaces:


      # echo "10.0.1.100" > /etc/hostname.qe0
      		 

      # echo "192.168.2.2" > /etc/hostname.qe1

    3. Reboot the Secondary machine.

      Note -

      Be sure to physically disconnect the screening interfaces before you reboot the system. These interfaces should not be reconnected until after the HA configuration is complete, and the policy has been activated on the Primary Screen.

Your systems are now prepared to run HA in Routing mode. Continue with the configuration by following the instructions in the "Configuring the HA Cluster" section that follows.

Configuring the HA Cluster

Modify the Primary Screen to Run in HA Mode

In this example, the primary Screen is name bos-screen1

  1. Create empty Address GROUP object for use in defining the HA heartbeat interface.

    In this example, the Address Group would be called ha_grp.

  2. Define an Interface object of type HA using the interface group created in the previous step.

    Enter the name of the interface you want as the HA heartbeat interface. Select HA as the Type and ha_grp in the Valid Address field.

    Note -

    Make sure that the Spoof Protection field specifies INCOMPLETE.

  3. Save, but do not activate, the policy.

    If you activate now, an error message appears regarding an HA interface being defined but HA not being activated.

  4. In the administration GUI, under the Policies section, click the Initialize HA button.

    Select the interface name you specified in the previous step and click OK.

  5. Save and activate the policy.

Install the HA secondary Screen

In this example, the secondary Screen is named bos-screen2.

  1. Install the Screen software on the secondary machine and specify that it is a Secondary HA system.

    When prompted, enter the interface name of the HA heartbeat interface, and specify the IP Address of the HA heartbeat interface of the Primary HA system. The installation program will then perform the necessary steps for the SunScreen HA configuration.

Define the HA cluster

  1. Using the Administration GUI, connect to the HA primary Screen's administrative interface.

    This can be done either locally on the Primary machine, or remotely from an administration station.

  2. Define a Screen object for the HA secondary Screen.

    See Figure 6-3

    Figure 6-3 Screen Object Definition for HA Secondary Screen

    Graphic

    1. Enter the name of the Secondary Screen in the name field.

    2. Select the Miscellaneous tab. Make sure that the information specified on this tab is identical to that of the Primary machine's Screen object.

    3. Select the Primary/Secondary tab. Specify the High Availability status (Secondary) and the HA Primary Screen. Finally, enter the High Availability IP Address (that of the Secondary's heartbeat interface).

      See Figure 6-4for an example.

      Figure 6-4 Secondary Screen Name and HA IP Address

      Graphic

  3. Save and activate the policy.

    Note -

    If the policy was activated successfully, and the Screens were configured in routing mode, the screening interfaces should be reconnected to the network at this point.

HA Notes

When administering an HA cluster, you usually contact only the primary Screen because it stores all the configuration information. If you need to administer the secondary Screen remotely, you must first have the Screen set up with an Administrative Interface (required in stealth mode). Then you need to add an access control list (ACL entry) on the Administration Station for the IP address of the secondary Screen's administrative interface using the same certificate names as those used by the primary Screen. The secondary and primary Screens have the same keys, which are copied across the HA interface during activation.