Skip to main content

Zone-Based Policy Firewall High Availability

Today I’m going to present how to implement a high availability for ZBPF. Below you can see the scenario I work on:

zbpf-ha-2.jpg

As you see I have two routers (R1 and R2) which now operates separately. From R4 we can reach R5 via R1 and R2:
 
R4#sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       + - replicated route, % - next hop override

Gateway of last resort is not set

      4.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        4.4.4.0/24 is directly connected, FastEthernet0/0
L        4.4.4.4/32 is directly connected, FastEthernet0/0
R     5.0.0.0/8 [120/1] via 4.4.4.2, 00:00:25, FastEthernet0/0
                [120/1] via 4.4.4.1, 00:00:10, FastEthernet0/0
R4#

I already implemented basic ZBPF: 
 
zone security OUTSIDE
zone security INSIDE
!
zone-pair security OUT->IN source OUTSIDE destination INSIDE
 service-policy type inspect TCP-PM
!
zone-pair security IN->OUT source INSIDE destination OUTSIDE
 service-policy type inspect TCP-PM
!
!
interface FastEthernet0/0
 zone-member security OUTSIDE
!
interface FastEthernet0/1
 zone-member security INSIDE
!

and inspection of tcp sessions:
 
class-map type inspect match-all TCP-CM
 match protocol tcp
!
policy-map type inspect TCP-PM
 class type inspect TCP-CM
  inspect
 class class-default
  drop log
!

Let’s test it before I move on:

R4 start a telnet session towards R5
 
R4#telnet 5.5.5.5
Trying 5.5.5.5 ... Open


User Access Verification

Password:
R5>

and on R1 I see this session:

R1#sh policy-map type inspect zone-pair sessions

policy exists on zp OUT->IN
  Zone-pair: OUT->IN

  Service-policy inspect : TCP-PM

    Class-map: TCP-CM (match-all)
      Match: protocol tcp

   Inspect

      Number of Established Sessions = 1
      Established Sessions
        Session 69131440 (4.4.4.4:25950)=>(5.5.5.5:23) tcp SIS_OPEN/TCP_ESTAB
          Created 00:00:37, Last heard 00:00:35
          Bytes sent (initiator:responder) [31:71]


    Class-map: class-default (match-any)
      Match: any
      Drop
        68 packets, 1984 bytes

policy exists on zp IN->OUT
  Zone-pair: IN->OUT

  Service-policy inspect : TCP-PM

    Class-map: TCP-CM (match-all)
      Match: protocol tcp

   Inspect

    Class-map: class-default (match-any)
      Match: any
      Drop
        0 packets, 0 bytes
R1#

Now it’s time to add the redundancy feature:
 
!
parameter-map type inspect global
 redundancy
 log dropped-packets enable
!
redundancy
 application redundancy
  group 1
   name RG1
   preempt
   priority 200              <----- on r1 leave the default value 100
   control GigabitEthernet0/0.10 protocol 1
   data GigabitEthernet0/0.10
!

Now I add the outside interface to the redundancy with a virtual IP:
 
interface GigabitEthernet0/0
 redundancy rii 1 decrement 50
 redundancy group 1

I need additional interface for internal communication between peers:
 
interface GigabitEthernet0/0.10
 encapsulation dot1Q 10
 ip address 192.168.1.1 255.255.255.0

When I configure gig0/0.10 interfaces on both switches I can see how the HA status is negotiated:
 
R1#sh redundancy application group 1
Group ID:1
Group Name:RG1

Administrative State: No Shutdown
Aggregate operational state : Up
My Role: ACTIVE
Peer Role: UNKNOWN
Peer Presence: Yes
Peer Comm: No
Peer Progression Started: No

RF Domain: btob-one
         RF state: ACTIVE
         Peer RF state: DISABLED

R1#



*Jan 10 02:20:01.551: %RG_VP-6-BULK_SYNC_DONE: RG group 1 BULK SYNC to standby complete.
*Jan 10 02:20:01.555: %RG_VP-6-STANDBY_READY: RG group 1 Standby router is in SSO state



R1#sh redundancy application group 1
Group ID:1
Group Name:RG1

Administrative State: No Shutdown
Aggregate operational state : Up
My Role: ACTIVE
Peer Role: STANDBY
Peer Presence: Yes
Peer Comm: Yes
Peer Progression Started: Yes

RF Domain: btob-one
         RF state: ACTIVE
         Peer RF state: STANDBY HOT

R1#


R2#
*Jan 10 01:50:18.363: %RG_PROTOCOL-5-ROLECHANGE: RG id 1 role change from Active to Init
R2#
*Jan 10 01:50:28.363: %RG_PROTOCOL-5-ROLECHANGE: RG id 1 role change from Init to Standby
R2#
R2#sh redundancy application group 1
Group ID:1
Group Name:RG1

Administrative State: No Shutdown
Aggregate operational state : Up
My Role: STANDBY
Peer Role: ACTIVE
Peer Presence: Yes
Peer Comm: Yes
Peer Progression Started: Yes

RF Domain: btob-one
         RF state: STANDBY HOT
         Peer RF state: ACTIVE

R2#

And last one - the inside interface with a virtual IP:
 
interface GigabitEthernet0/1
 redundancy rii 2 decrement 50
 redundancy group 1


Let’s test it once again:
 
r4#telnet 5.5.5.5
Trying 5.5.5.5 ... Open


User Access Verification

Password: 
r5>

on R1 I see:
 
R1#sh policy-map type inspect zone-pair sessions 

policy exists on zp OUT->IN
  Zone-pair: OUT->IN 

  Service-policy inspect : TCP-PM

    Class-map: TCP-CM (match-all)  
      Match: protocol tcp

   Inspect

      Number of Established Sessions = 2
      Established Sessions
        Session 31300C20 (4.4.4.4:27690)=>(5.5.5.5:23) tcp SIS_OPEN/TCP_CLOSEWAIT 
          Created 00:39:21, Last heard 00:29:07
          Bytes sent (initiator:responder) [37:80]
          HA State: ACTIVE, RG ID: 1
        Session 31301320 (4.4.4.4:48870)=>(5.5.5.5:23) tcp SIS_OPEN/TCP_ESTAB 
          Created 00:00:54, Last heard 00:00:50
          Bytes sent (initiator:responder) [45:86]
          HA State: ACTIVE, RG ID: 1


    Class-map: class-default (match-any)  
      Match: any 
      Drop
        2 packets, 16 bytes

and on R2:
 
R2#sh policy-map type inspect zone-pair sessions 

policy exists on zp OUT->IN
  Zone-pair: OUT->IN 

  Service-policy inspect : TCP-PM

    Class-map: TCP-CM (match-all)  
      Match: protocol tcp

   Inspect

      Number of Established Sessions = 2
      Established Sessions
        Session 2CC8B220 (4.4.4.4:27690)=>(5.5.5.5:23) tcp SIS_OPEN/TCP_CLOSEWAIT 
          Created 00:31:38, Last heard never
          Bytes sent (initiator:responder) [0:0]
          HA State: STANDBY, RG ID: 1
        Session 2CC8B920 (4.4.4.4:48870)=>(5.5.5.5:23) tcp SIS_OPEN/TCP_ESTAB 
          Created 00:01:54, Last heard never
          Bytes sent (initiator:responder) [0:0]
          HA State: STANDBY, RG ID: 1


    Class-map: class-default (match-any)  
      Match: any 
      Drop
        3 packets, 24 bytes

As you see above next to session entry you see what is the HA state: ‘ACTIVE’ or 'STANDBY’. In some cases you can find that routing protocol prefers path via the standby box. You can set the priority for redundancy to be sure which one of your routers is preferable.
Labels:

Comments

Post a Comment

Popular posts from this blog

What should you know about HA 'override enabled' setting on Fortigate?

High availability is mandatory in most of today's network designs. Only very small companies or branches can run their business without redundancy. When you have Fortigate firewall in your network you have many options to increase network availability. You can use Fortigate Clustering Protocol ( FGCP ) or Virtual Router Redundancy Protocol ( VRRP ). FGCP has two modes: 'override' disabled (default) and 'override' enabled . I'm not going to explain how to set up HA as you can find many resources on Fortinet websites: https://cookbook.fortinet.com/high-availability-two-fortigates-56/ https://cookbook.fortinet.com/high-availability-with-fgcp-56/ Let's recap what is the main difference between them. The default HA setting is 'override' disabled and this is an order of selection an active unit: 1) number of monitored interfaces - when both units have the same number of working (up) interfaces check next parameter 2) HA uptime - an
8 comments
Read more

MAC Authentication Bypass

One of the method to control your network is using MAB feature. It is helpful in case you have devices without dot1x functionality. Today I will try to implement basic configuration and analyze log messages. There is only one switch SW1 and one device attached to port Fa1/0/2.   ! aaa new - model aaa authentication dot1x default group radius ! ! int Fas1 / 0 / 2 authentication host - mode single - host authentication port - control auto mab ! I haven’t configured ACS yet but let’s see what error message I receive:   SW1 ( config - if ) # mab - ev ( Fa1 / 0 / 2 ): Received MAB context create from AuthMgr mab - ev ( Fa1 / 0 / 2 ): Created MAB client context 0x1100000F mab : initial state mab_initialize has enter mab - ev ( Fa1 / 0 / 2 ): Sending create new context event to EAP from MAB for 0x1100000F ( 0000.0000 . 0000 ) mab - sm ( Fa1 / 0 / 2 ): Received event 'MAB_START' on handle 0x1100000F mab : during state mab_initia
Post a Comment
Read more

Inpection of asymmetric sessions on FortiGate

There is one feature available on FortiGate, and I think you should know it, as it modifies a bit what we know about stateful firewalls. In past every packet was treated individually and you had to create policies in both directions. With stateful firewalls we can track connections, and by checking couple of attributes, we can treat them as part of the same session. For example when you initiate connection from a host1 to host2, the returning connection from host2 to host1 will be treated as part of the same connection (session). They have to have the same source/destination and destination/source IPs, port numbers and interfaces.There is an exception from this rule and FortiGate in some specific cases can accept connections on port which was not used in the initial connection. Let me explain how it works on the below example:      The host1 has a default gateway on R1 (10.0.1.2), but you may notice that it is not the optimal path to host2 subnet. When we analyze the packet flo
1 comment
Read more