test

SunScreen 3.2 Configuration Examples

Configuring the HA Cluster

Modify the Primary Screen to Run in HA Mode

In this example, the primary Screen is name bos-screen1

  1. Create empty Address GROUP object for use in defining the HA heartbeat interface.

    In this example, the Address Group would be called ha_grp.

  2. Define an Interface object of type HA using the interface group created in the previous step.

    Enter the name of the interface you want as the HA heartbeat interface. Select HA as the Type and ha_grp in the Valid Address field.

    Note -

    Make sure that the Spoof Protection field specifies INCOMPLETE.

  3. Save, but do not activate, the policy.

    If you activate now, an error message appears regarding an HA interface being defined but HA not being activated.

  4. In the administration GUI, under the Policies section, click the Initialize HA button.

    Select the interface name you specified in the previous step and click OK.

  5. Save and activate the policy.

Install the HA secondary Screen

In this example, the secondary Screen is named bos-screen2.

  1. Install the Screen software on the secondary machine and specify that it is a Secondary HA system.

    When prompted, enter the interface name of the HA heartbeat interface, and specify the IP Address of the HA heartbeat interface of the Primary HA system. The installation program will then perform the necessary steps for the SunScreen HA configuration.

Define the HA cluster

  1. Using the Administration GUI, connect to the HA primary Screen's administrative interface.

    This can be done either locally on the Primary machine, or remotely from an administration station.

  2. Define a Screen object for the HA secondary Screen.

    See Figure 6-3

    Figure 6-3 Screen Object Definition for HA Secondary Screen

    Graphic

    1. Enter the name of the Secondary Screen in the name field.

    2. Select the Miscellaneous tab. Make sure that the information specified on this tab is identical to that of the Primary machine's Screen object.

    3. Select the Primary/Secondary tab. Specify the High Availability status (Secondary) and the HA Primary Screen. Finally, enter the High Availability IP Address (that of the Secondary's heartbeat interface).

      See Figure 6-4for an example.

      Figure 6-4 Secondary Screen Name and HA IP Address

      Graphic

  3. Save and activate the policy.

    Note -

    If the policy was activated successfully, and the Screens were configured in routing mode, the screening interfaces should be reconnected to the network at this point.