Migration between different versions (Method 1)

The procedure for changing the firewall (redundant configuration) in use to the new firewall version (redundant configuration) is described.
-The new firewall version does not take over the IP address used by the old version and uses another IP address after the migration.
Operations have been checked by NTT Communications, in terms of the following combinations of versions.

Old version

New version

3.5R6S3 5.2R4
4.2R1S1 5.2R4

System configuration subject to migration in this guide

Regarding the system configuration below, the migration method for the firewall (Brocade 5600 vRouter) is described.

Prerequisites

  • Version upgrade is not possible, as described in the Service Descriptions.

  • For with-VRRP migration from the old to new version, it is necessary to stop VRRP of the old FW and add VRRP settings of the new FW, because operations differ between the versions.

  • The customer is expected to check the functions with the new version beforehand.

  • The customer is expected to perform firewall operation checks including one to see whether communications of the system of the customer are affected by migration from the old to new version. Especially, with 5.2R4 chosen for the new version, be sure to check the operations of the following option beforehand due to change of the operational specifications if the option has been used: option (global-state-policy) by which the setting for packet filtering operations in stateful manner is enabled for the entire firewall. For the changes, see ‘Brocade Technical Bulletin(Version5.2R4) <https://ecl.ntt.com/en/documents/tutorials/rsts/Firewall/vyatta/guide.html>’_ or ‘Operation-confirmed setting examples (Setting for making the packet filtering function in stateful manner) <https://ecl.ntt.com/en/documents/tutorials/rsts/Firewall/fwfunction/packetfiltering/statefulfw.html>’_.

  • For this procedure, operations have been checked with the following settings made.


Settings of old FW1
#if_firewall設定
set interfaces dataplane dp0s4 firewall in 'IN_Internet'
set interfaces dataplane dp0s4 firewall out 'ACCEPT'
set interfaces dataplane dp0s5 firewall in 'IN_LAN'
set interfaces dataplane dp0s5 firewall out 'ACCEPT'

#VRRP設定
set interfaces dataplane dp0s4 vrrp vrrp-group 11 advertise-interval '20'
set interfaces dataplane dp0s4 vrrp vrrp-group 11 priority '200'
set interfaces dataplane dp0s4 vrrp vrrp-group 11 'rfc-compatibility'
set interfaces dataplane dp0s4 vrrp vrrp-group 11 sync-group 'SG1'
set interfaces dataplane dp0s4 vrrp vrrp-group 11 virtual-address '192.168.1.10'

set interfaces dataplane dp0s5 vrrp vrrp-group 12 advertise-interval '20'
set interfaces dataplane dp0s5 vrrp vrrp-group 12 priority '200'
set interfaces dataplane dp0s5 vrrp vrrp-group 12 'rfc-compatibility'
set interfaces dataplane dp0s5 vrrp vrrp-group 12 sync-group 'SG1'
set interfaces dataplane dp0s5 vrrp vrrp-group 12 virtual-address '192.168.2.10'

#nat設定
set service nat destination rule 10 destination address '1.X.X.1'
set service nat destination rule 10 inbound-interface 'dp0s4'
set service nat destination rule 10 translation address '192.168.2.100'
set service nat source rule 10 outbound-interface 'dp0s4'
set service nat source rule 10 source address '192.168.0.0/16'
set service nat source rule 10 translation address 'masquerade'

#firewall設定
set security firewall global-state-policy 'icmp'
set security firewall global-state-policy 'tcp'
set security firewall global-state-policy 'udp'
set security firewall name IN_Internet default-action 'drop'
set security firewall name IN_Internet 'default-log'
set security firewall name IN_Internet rule 10 action 'accept'
set security firewall name IN_Internet rule 10 source address 192.168.1.12
set security firewall name IN_Internet rule 11 action 'accept'
set security firewall name IN_Internet rule 11 destination address '1.X.X.1'
set security firewall name IN_Internet rule 11 destination port '80'
set security firewall name IN_Internet rule 11 protocol 'tcp'
set security firewall name IN_LAN default-action 'drop'
set security firewall name IN_LAN 'default-log'
set security firewall name IN_LAN rule 10 action 'accept'
set security firewall name IN_LAN rule 10 source address 192.168.2.12
set security firewall name IN_LAN rule 11 action 'accept'
set security firewall name IN_LAN rule 11 source port '80'
set security firewall name IN_LAN rule 11 protocol 'tcp'
set security firewall name ACCEPT default-action 'accept'
set security firewall name ACCEPT rule 10 action 'accept'
set security firewall name ACCEPT rule 10 state 'enable'
set security firewall session-log icmp new    #ver4.2以降はプロトコル名の次にオプション名が必須のため要修正
set security firewall session-log tcp syn-sent    #ver4.2以降はプロトコル名の次にオプション名が必須のため要修正
set security firewall session-log udp new    #ver4.2以降はプロトコル名の次にオプション名が必須のため要修正

#system設定
set system host-name 'FW1'
set system time-zone 'Asia/Tokyo'
set system login user user-admin authentication plaintext-password xxx
set system login user user-read authentication plaintext-password xxx

Note

ver4.2R1S1以降のファイアウォールをご利用の方は、session-log設定をする際に
プロトコル名(icmp,tcp,udp等)の次にオプション名(new,syn-sent等)の追加設定が必須です。

Settings of old FW2
 #if_firewall設定
set interfaces dataplane dp0s4 firewall in 'IN_Internet'
set interfaces dataplane dp0s4 firewall out 'ACCEPT'
set interfaces dataplane dp0s5 firewall in 'IN_LAN'
set interfaces dataplane dp0s5 firewall out 'ACCEPT'

#VRRP設定
set interfaces dataplane dp0s4 vrrp vrrp-group 11 advertise-interval '20'
set interfaces dataplane dp0s4 vrrp vrrp-group 11 priority '100'
set interfaces dataplane dp0s4 vrrp vrrp-group 11 'rfc-compatibility'
set interfaces dataplane dp0s4 vrrp vrrp-group 11 sync-group 'SG1'
set interfaces dataplane dp0s4 vrrp vrrp-group 11 virtual-address '192.168.1.10'

set interfaces dataplane dp0s5 vrrp vrrp-group 12 advertise-interval '20'
set interfaces dataplane dp0s5 vrrp vrrp-group 12 priority '100'
set interfaces dataplane dp0s5 vrrp vrrp-group 12 'rfc-compatibility'
set interfaces dataplane dp0s5 vrrp vrrp-group 12 sync-group 'SG1'
set interfaces dataplane dp0s5 vrrp vrrp-group 12 virtual-address '192.168.2.10'

#nat設定
set service nat destination rule 10 destination address '1.X.X.1'
set service nat destination rule 10 inbound-interface 'dp0s4'
set service nat destination rule 10 translation address '192.168.2.100'
set service nat source rule 10 outbound-interface 'dp0s4'
set service nat source rule 10 source address '192.168.0.0/16'
set service nat source rule 10 translation address 'masquerade'

#firewall設定
set security firewall global-state-policy 'icmp'
set security firewall global-state-policy 'tcp'
set security firewall global-state-policy 'udp'
set security firewall name IN_Internet default-action 'drop'
set security firewall name IN_Internet 'default-log'
set security firewall name IN_Internet rule 10 action 'accept'
set security firewall name IN_Internet rule 10 source address 192.168.1.11
set security firewall name IN_Internet rule 11 action 'accept'
set security firewall name IN_Internet rule 11 destination address '1.X.X.1'
set security firewall name IN_Internet rule 11 destination port '80'
set security firewall name IN_Internet rule 11 protocol 'tcp'
set security firewall name IN_LAN default-action 'drop'

set security firewall name IN_LAN 'default-log'
set security firewall name IN_LAN rule 10 action 'accept'
set security firewall name IN_LAN rule 10 source address 192.168.2.11
set security firewall name IN_LAN rule 11 action 'accept'
set security firewall name IN_LAN rule 11 source port '80'
set security firewall name IN_LAN rule 11 protocol 'tcp'
set security firewall name ACCEPT default-action 'accept'
set security firewall name ACCEPT rule 10 action 'accept'
set security firewall name ACCEPT rule 10 state 'enable'
set security firewall session-log icmp new    #ver4.2以降はプロトコル名の次にオプション名が必須のため要修正
set security firewall session-log tcp syn-sent    #ver4.2以降はプロトコル名の次にオプション名が必須のため要修正
set security firewall session-log udp new    #ver4.2以降はプロトコル名の次にオプション名が必須のため要修正

#system設定
set system host-name 'FW2'
set system time-zone 'Asia/Tokyo'

set system login user user-admin authentication plaintext-password xxx
set system login user user-read authentication plaintext-password xxx

Note

ver4.2R1S1以降のファイアウォールをご利用の方は、session-log設定をする際に
プロトコル名(icmp,tcp,udp等)の次にオプション名(new,syn-sent等)の追加設定が必須です。


Conceptual outline of migration work

The conceptual outline of firewall (Brocade 5600 vRouter) migration work is presented below.

1.Running of VRRP on logical networks 1 and 2 is a prerequisite.

2.Create a firewall instance of the new version, and connect to the logical network as done with the old firewall. At that time, also set the corresponding interface, for “VRRP communication setting registration”, through ECL2.0 Customer Portal.

3.Make the same settings on the new firewall version as of the old firewall version. (Note that this does not apply to the VRRP setting.)

4.Disable and stop VRRP of the old firewall.
*VRRP needs to be disabled (not deleted), to ease switchback.

5.Apply the prepared configuration for switching to the new firewall, and start VRRP. Check that switching is made properly.
*VRRP needs to be disabled (not deleted), to ease switchback.

Note

After work step 5-1-4, communication halt is started. Then, 60 [advertise-interval*3] seconds after application of the VRRP settings with new FW1 in work step 5-1-5, new FW1 turns into the master, followed by communication recovery.

For Brocade 5600 vRouter, the session is not retained at the time of migration. Therefore, depending on applications, re-connections are required.



6-1 After checking that communications through the new firewall have been stabilized, delete the old firewall.

6-2 If communications through the new firewall fail and cannot be recovered from failure, perform switching back.


Work procedure

1 Pre-check

  • 1-1.Saving the configuration of old FW1

1-1-1.Log into the firewall (old FW1) by executing the command below.
$ ssh user-admin@192.168.1.11
Welcome to Brocade vRouter
user-admin@192.168.1.11's password:

1-1-2.Check the VRRP status of the firewall (old FW1) by executing the command below.
Check display of MASTER/BACKUP, for the set VRRP, and check that the state is the intended one.
user-admin@vyatta:~$ show vrrp
                                 RFC        Addr   Last        Sync
Interface         Group  State   Compliant  Owner  Transition  Group
---------         -----  -----   ---------  -----  ----------  -----
dp0s4             11     MASTER  yes        no     1d6h2m50s   sg1
dp0s5             12     MASTER  yes        no     1d6h1m50s   sg1

1-1-3.Save the output result in the text file of the work terminal by executing the command below.
(See ‘Configuration management <https://ecl.ntt.com/en/documents/tutorials/rsts/Firewall/vyatta/backup.html#id3>’_, and delete unneeded settings beforehand.)
user-admin@vyatta:~$ show configuration commands


  • 1-2. Saving the configuration of old FW2

1-2-1. Log into the firewall (old FW2) by executing the command below.
$ ssh user-admin@192.168.1.12
Welcome to Brocade vRouter
user-admin@192.168.1.12's password:

1-2-2. Check the VRRP status of the firewall (old FW2) by executing the command below.
Check display of MASTER/BACKUP, for the set VRRP, and check that the state is the intended one.
user-admin@vyatta:~$ show vrrp
                                 RFC        Addr   Last        Sync
Interface         Group  State   Compliant  Owner  Transition  Group
---------         -----  -----   ---------  -----  ----------  -----
dp0s4             11     BACKUP  yes        no     1d6h1m2s   sg1
dp0s5             12     BACKUP  yes        no     1d6h1m3s   sg1

1-2-3. Save the output result in the text file of the work terminal by executing the command below.
(See ‘Configuration management <https://ecl.ntt.com/en/documents/tutorials/rsts/Firewall/vyatta/backup.html#id3>’_, and delete unneeded settings beforehand.)
user-admin@vyatta:~$ show configuration commands


2.Creating a New FW

  • 2-1.Creating new FW1

2-1-1.Create firewall (new FW1) through ECL2.0 Customer Portal.
(See ‘Firewall instance application method <https://ecl.ntt.com/en/documents/tutorials/rsts/Firewall/instance/create.html>’_, and create firewall.)

Note

For creation of the firewall (new FW1), select “zone1-groupa” for “Zone/group”.

2-1-2. Connect the logical network to the created firewall (new FW1) through ECL2.0 Customer Portal.
(See ‘Connecting the logical network <https://ecl.ntt.com/en/documents/tutorials/rsts/Firewall/instance/setting.html>’_, and connect the interface.)

Note

Repeat the procedure for all interfaces to be connected with the logical network. Set the IP address of the interface different from the address of the old FW. For the virtual IP address for VRRP, set the same address as of the old FW.

2-1-3. Register the VRRP communication settings onto the interface of the firewall (new FW1) through ECL2.0 Customer Portal.
(See ‘VRRP communication setting registration <https://ecl.ntt.com/en/documents/tutorials/rsts/Firewall/instance/vrrp.html>’_, and register the VRRP communication settings.)

2-1-4. Register the default gateway of the firewall (new FW1) through ECL2.0 Customer Portal.
(See ‘Firewall instance operation method <https://ecl.ntt.com/en/documents/tutorials/rsts/Firewall/instance/operations.html>’_, and set the default gateway.)

Note

In the case where setting of the default gateway is not needed, omit this procedure.

  • 2-2. Creating new FW2

2-2-1. Create firewall (new FW2) through ECL2.0 Customer Portal.
(See ‘Firewall instance application method <https://ecl.ntt.com/en/documents/tutorials/rsts/Firewall/instance/create.html>’_, and create firewall.)

Note

For creation of the firewall (new FW2), select “zone1-groupb” for “Zone/group”.

2-2-2. Connect the logical network to the created firewall (new FW2) through ECL2.0 Customer Portal.
(See ‘Connecting the logical network <https://ecl.ntt.com/en/documents/tutorials/rsts/Firewall/instance/setting.html>’_, and connect the interface.)

Note

Repeat the procedure for all interfaces to be connected with the logical network. Set the IP address of the interface different from the address of the old FW. For the virtual IP address for VRRP, set the same address as of the old FW.

2-2-3. Register the VRRP communication settings onto the interface of the firewall (new FW2) through ECL2.0 Customer Portal.
(See ‘VRRP communication setting registration <https://ecl.ntt.com/en/documents/tutorials/rsts/Firewall/instance/vrrp.html>’_, and register the VRRP communication settings.)

2-2-4. Register the default gateway of the firewall (new FW2) through ECL2.0 Customer Portal.
(See ‘Firewall instance operation method <https://ecl.ntt.com/en/documents/tutorials/rsts/Firewall/instance/operations.html>’_, and set the default gateway.)

Note

In the case where setting of the default gateway is not needed, omit this procedure.

3.Setting onto the New FW

  • 3-1.Restoring the configuration onto new FW1 beforehand

3-1-1.Log into the firewall (new FW1) by executing the command below.
$ ssh user-admin@192.168.1.13
Welcome to Brocade vRouter
user-admin@192.168.1.13's password:

3-1-2. Execute the command below to enter the configuration mode. After the prompt is changed to #, paste the to-be-set configuration created from backup of old FW1 onto the console.
(Check that the configuration file to be pasted does not include settings for VRRP.)
user-admin@vyatta:~$ configure
[edit]
user-admin@vyatta#

Note

When 5.2R4 is used as the new FW version in the case where the following option (global-state-policy) has been used on old FW1, paste the properly revised configuration onto the console as the to-be-set configuration, due to change of the operational specifications: option by which the setting for packet filtering operations in stateful manner is enabled for the entire firewall.
For the changes, see ‘Brocade Technical Bulletin(Version5.2R4) <https://ecl.ntt.com/en/documents/tutorials/rsts/Firewall/vyatta/guide.html>’_ or ‘Operation-confirmed setting examples (Setting for making the packet filtering function in stateful manner) <https://ecl.ntt.com/en/documents/tutorials/rsts/Firewall/fwfunction/packetfiltering/statefulfw.html>’_.

3-1-3. Check the differences from the set configuration by executing the command below.
user-admin@vyatta# compare

Note

If not a few configurations have been set, check the result of the show configuration commands and the set configurations, using a tool such as diff.

3-1-4. Execute the command below to apply the settings and save the configuration of the firewall.
user-admin@vyatta# commit;save


  • 3-2. Restoring the configuration onto new FW2 beforehand

3-2-1. Log into the firewall (new FW2) by executing the command below.
$ ssh user-admin@192.168.1.14
Welcome to Brocade vRouter
user-admin@192.168.1.14's password:

3-2-2. Execute the command below to enter the configuration mode. After the prompt is changed to #, paste the to-be-set configuration created from backup of old FW2 onto the console.
(Check that the configuration file to be pasted does not include settings for VRRP.)
user-admin@vyatta:~$ configure
[edit]
user-admin@vyatta#

Note

When 5.2R4 is used as the new FW version in the case where the following option (global-state-policy) has been used on old FW2, paste the properly revised configuration onto the console as the to-be-set configuration, due to change of the operational specifications: option by which the setting for packet filtering operations in stateful manner is enabled for the entire firewall.
For the changes, see ‘Brocade Technical Bulletin(Version5.2R4) <https://ecl.ntt.com/en/documents/tutorials/rsts/Firewall/vyatta/guide.html>’_ or ‘Operation-confirmed setting examples (Setting for making the packet filtering function in stateful manner) <https://ecl.ntt.com/en/documents/tutorials/rsts/Firewall/fwfunction/packetfiltering/statefulfw.html>’_.

3-2-3. Check the differences from the set configuration by executing the command below.
user-admin@vyatta# compare

Note

If not a few configurations have been set, check the result of the show configuration commands and the set configurations, using a tool such as diff.

3-2-4. Execute the command below to apply the settings and save the configuration of the firewall (new FW2).
user-admin@vyatta# commit;save


4.Communication Halt of the Old FW

  • 4-1. Disabling the virtual IP of old FW2 (for backup)

4-1-1. Log into the firewall (old FW2) by executing the command below.
$ ssh user-admin@192.168.1.12
Welcome to Brocade vRouter
user-admin@192.168.1.12's password:

4-1-2. Execute the command below to enter the configuration mode. After the prompt is changed to #, paste the to-be-set configuration VRRP_disable.
(See “To-be-set configuration for old FW2 VRRP_disable”, in “8. To-be-set Configuration Examples” in this guide.)
user-admin@vyatta:~$ configure
[edit]
user-admin@vyatta#

4-1-3. Execute the command below to apply the settings and save the configuration of the firewall (old FW2).
user-admin@vyatta# commit;save


  • 4-2. Disabling the virtual IP of old FW1 (for master)

4-2-1. Log into the firewall (old FW1) by executing the command below.
$ ssh user-admin@192.168.1.11
Welcome to Brocade vRouter
user-admin@192.168.1.11's password:

4-2-2. Execute the command below to enter the configuration mode. After the prompt is changed to #, paste the to-be-set configuration VRRP_disable.
(See “To-be-set configuration for old FW1 VRRP_disable”, in “8. To-be-set Configuration Examples” in this guide.)
user-admin@vyatta:~$ configure
[edit]
user-admin@vyatta#

Note

To minimize communication interruption, committing is not to be executed. (Committing is to be executed in 5.1.4.)

4-2-3. By executing the command below, check that the set configuration is shown as the difference.
user-admin@vyatta# compare


5.Communication Start of the New FW

  • 5-1. Setting VRRP of new FW1 (for master)

5-1-1. Log into the firewall (new FW1) by executing the command below.
$ ssh user-admin@192.168.1.13
Welcome to Brocade vRouter
user-admin@192.168.1.13's password:

5-1-2. Execute the command below to enter the configuration mode. After the prompt is changed to #, paste the to-be-set configuration for switching VRRP.
(See “To-be-set configuration for new FW1 VRRP switching”, in “8. To-be-set Configuration Examples” in this guide.)
user-admin@vyatta:~$ configure
[edit]
user-admin@vyatta#

5-1-3. By executing the command below, check that the set configuration is shown as the difference.
user-admin@vyatta# compare

5-1-4. Execute the command below to apply the settings and save the configuration of the firewall (old FW1).
user-admin@vyatta# commit;save

Note

After work step 5-1-4, communication halt is started. Then, 60 [advertise-interval*3] seconds after application of the VRRP settings with new FW1 in work step 5-1-5, new FW1 turns into the master, followed by communication recovery.

For Brocade 5600 vRouter, the session is not retained at the time of migration. Therefore, depending on applications, re-connections are required.


5-1-5. Apply the settings of the firewall (new FW1) by executing the command below.
user-admin@vyatta# commit

Note

After work step 5-1-4, communication halt is started. Then, 60 [advertise-interval*3] seconds after application of the VRRP settings with new FW1 in work step 5-1-5, new FW1 turns into the master, followed by communication recovery.

For Brocade 5600 vRouter, the session is not retained at the time of migration. Therefore, depending on applications, re-connections are required.


5-1-6. Check the VRRP status of the firewall (new FW1) by executing the command below.
Check that MASTER is shown for the state.
user-admin@vyatta# run show vrrp
                                 RFC        Addr   Last        Sync
Interface         Group  State   Compliant  Owner  Transition  Group
---------         -----  -----   ---------  -----  ----------  -----
dp0s4             11     MASTER  dp0vrrp1   no     1m23s       sg1
dp0s5             12     MASTER  dp0vrrp2   no     1m23s       sg1


  • 5-2.Check communications.

5-2-1. Check communications which pass through the firewall (Ping, etc.).

Note

If recovery of communications is not made, switching back is to be performed. (For the concrete procedure for switching back, see “7. Switchback Procedure” in this guide.)

  • 5-3. Setting VRRP of new FW2 (for backup)

5-3-1. Log into the firewall (new FW2) by executing the command below.
$ ssh user-admin@192.168.1.14
Welcome to Brocade vRouter
user-admin@192.168.1.14's password:

5-3-2. Execute the command below to enter the configuration mode. After the prompt is changed to #, paste the to-be-set configuration for switching VRRP.
(See “To-be-set configuration for new FW2 VRRP switching”, in “8. To-be-set Configuration Examples” in this guide.)
user-admin@vyatta:~$ configure
[edit]
user-admin@vyatta#

5-3-3. Apply the settings of the firewall (new FW2) by executing the command below.
user-admin@vyatta# commit

5-3-4. Check the VRRP status of the firewall (new FW2) by executing the command below.
Check that BACKUP is shown for the state.
user-admin@vyatta# run show vrrp
                                 RFC        Addr   Last        Sync
Interface         Group  State   Compliant  Owner  Transition  Group
---------         -----  -----   ---------  -----  ----------  -----
dp0s4             11     BACKUP  dp0vrrp1   no     1m33s       sg1
dp0s5             12     BACKUP  dp0vrrp2   no     1m33s       sg1

  • 5-4. Saving the configuration file of the new FW

5-4-1. By executing the command below, save the configuration of the firewall (new FW1). (An error shall not be shown.)
user-admin@vyatta# save

5-4-2. By executing the command below, save the configuration of the firewall (new FW2). (An error shall not be shown.)
user-admin@vyatta# save


6.Deletion of the Old FW

*Execute this procedure after checking that communications after migration are stable.

6-1. Select “Network” then “Firewall” on ECL2.0 Control Panel. Then, display the firewall list.

6-2. Delete the firewall (old FW1) through ECL2.0 Customer Portal.
(See ‘Firewall instance deletion method <https://ecl.ntt.com/en/documents/tutorials/rsts/Firewall/instance/delete.html>’_, and delete the firewall.)

Note

Check again that the firewall (old FW1) to be deleted has been properly selected.

6-3. Delete the firewall (old FW2) through ECL2.0 Customer Portal.
(See ‘Firewall instance deletion method <https://ecl.ntt.com/en/documents/tutorials/rsts/Firewall/instance/delete.html>’_, and delete the firewall.)

Note

Perform this work after checking that the old FW1 has been deleted.
Check again that the firewall (old FW2) to be deleted has been properly selected.


7.Switchback Procedure

  • 7-1. Disabling the virtual IP of new FW1 (for master)

7-1-1. Log into the firewall (new FW1) by executing the command below.
$ ssh user-admin@192.168.1.13
Welcome to Brocade vRouter
user-admin@192.168.1.13's password:

7-1-2. Execute the command below to enter the configuration mode. After the prompt is changed to #, paste the to-be-set configuration for switchback regarding new FW1.
(See “To-be-set configuration for new FW1 VRRP switchback”, in “8. To-be-set Configuration Examples” in this guide.)
user-admin@vyatta:~$ configure
[edit]
user-admin@vyatta#

7-1-3. Apply the settings of the firewall (new FW1) by executing the command below.
user-admin@vyatta# commit

7-1-4. Check the VRRP status of the firewall (new FW1) by executing the command below.
Check that the state of VRRP is not shown.
user-admin@vyatta# run show vrrp
                                 RFC        Addr   Last        Sync
Interface         Group  State   Compliant  Owner  Transition  Group
---------         -----  -----   ---------  -----  ----------  -----


  • 7-2. Enabling the virtual IP of old FW1 (for master)

7-2-1. Log into the firewall (old FW1) by executing the command below.
$ ssh user-admin@192.168.1.11
Welcome to Brocade vRouter
user-admin@192.168.1.11's password:

7-2-2. Execute the command below to enter the configuration mode. After the prompt is changed to #, paste the to-be-set configuration for switchback regarding old FW1.
(See “Configuration for old FW1 switchback”, in “8. To-be-set Configuration Examples” in this guide.)
user-admin@vyatta:~$ configure
[edit]
user-admin@vyatta#

7-2-3. Apply the settings of the firewall (old FW1) by executing the command below.
user-admin@vyatta# commit

Note

Communications via the virtual IP are recovered.

7-2-4. Check the VRRP status of the firewall (old FW1) by executing the command below.
Check that MASTER is shown for the state.
user-admin@vyatta# run show vrrp
                                 RFC        Addr   Last        Sync
Interface         Group  State   Compliant  Owner  Transition  Group
---------         -----  -----   ---------  -----  ----------  -----
dp0s4             11     MASTER  dp0vrrp1   no     1m10s       sg1
dp0s5             12     MASTER  dp0vrrp2   no     1m10s       sg1

7-2-5. Apply the settings of the firewall (old FW1) by executing the command below.
user-admin@vyatta# commit

7-2-6. Check communications which pass through the firewall. (With ping, an error shall not be shown and communications shall be able to be checked.)


  • 7-3. Saving the configuration file of the firewall

7-3-1. By executing the command below, save the configuration of the firewall (old FW1). (An error shall not be shown.)
user-admin@vyatta# save

7-3-2. By executing the command below, save the configuration of the firewall (new FW1). (An error shall not be shown.)
user-admin@vyatta# save



8.投入コンフィグ例

Examples of configurations to be used for the aforementioned work are presented below. Note that the values set here are merely examples used for descriptions on the manual. When switching practically, revise as needed.


1.New FW1 Prior-restoration configuration (Example)
 #if_firewall設定
set interfaces dataplane dp0s4 firewall in 'IN_Internet'
set interfaces dataplane dp0s4 firewall out 'ACCEPT'
set interfaces dataplane dp0s5 firewall in 'IN_LAN'
set interfaces dataplane dp0s5 firewall out 'ACCEPT'

#nat設定
set service nat destination rule 10 destination address '1.X.X.1'
set service nat destination rule 10 inbound-interface 'dp0s4'
set service nat destination rule 10 translation address '192.168.2.100'
set service nat source rule 10 outbound-interface 'dp0s4'
set service nat source rule 10 source address '192.168.0.0/16'
set service nat source rule 10 translation address 'masquerade'

#firewall設定
set security firewall global-state-policy 'icmp'
set security firewall global-state-policy 'tcp'
set security firewall global-state-policy 'udp'
set security firewall name IN_Internet default-action 'drop'
set security firewall name IN_Internet 'default-log'
set security firewall name IN_Internet rule 10 action 'accept'
set security firewall name IN_Internet rule 10 source address 192.168.1.12
set security firewall name IN_Internet rule 11 action 'accept'
set security firewall name IN_Internet rule 11 destination address '1.X.X.1'
set security firewall name IN_Internet rule 11 destination port '80'
set security firewall name IN_Internet rule 11 protocol 'tcp'
set security firewall name IN_LAN default-action 'drop'
set security firewall name IN_LAN 'default-log'
set security firewall name IN_LAN rule 10 action 'accept'
set security firewall name IN_LAN rule 10 source address 192.168.2.12
set security firewall name IN_LAN rule 11 action 'accept'
set security firewall name IN_LAN rule 11 source port '80'
set security firewall name IN_LAN rule 11 protocol 'tcp'
set security firewall name ACCEPT default-action 'accept'
set security firewall name ACCEPT rule 10 action 'accept'
set security firewall name ACCEPT rule 10 state 'enable'
set security firewall session-log icmp new    #ver4.2以降はプロトコル名の次にオプション名が必須のため要修正
set security firewall session-log tcp syn-sent    #ver4.2以降はプロトコル名の次にオプション名が必須のため要修正
set security firewall session-log udp new    #ver4.2以降はプロトコル名の次にオプション名が必須のため要修正

#system設定
set system host-name 'FW1'
set system time-zone 'Asia/Tokyo'
set system login user user-admin authentication plaintext-password xxx
set system login user user-read authentication plaintext-password xxx

Note

ver4.2R1S1以降のファイアウォールをご利用の方は、session-log設定をする際に
プロトコル名(icmp,tcp,udp等)の次にオプション名(new,syn-sent等)の追加設定が必須です。


2. 旧FW1 VRRP_disable用投入コンフィグ(例)
set interfaces dataplane dp0s4 vrrp vrrp-group 11 disable
set interfaces dataplane dp0s5 vrrp vrrp-group 12 disable


3. 新FW1 VRRP切替用投入コンフィグ(例)
#VRRP設定
set interfaces dataplane dp0s4 vrrp vrrp-group 11 priority '200'
set interfaces dataplane dp0s4 vrrp vrrp-group 11 'rfc-compatibility'
set interfaces dataplane dp0s4 vrrp vrrp-group 11 sync-group 'sg1'
set interfaces dataplane dp0s4 vrrp vrrp-group 11 virtual-address '192.168.1.10'
set interfaces dataplane dp0s4 vrrp vrrp-group 11 advertise-interval '20'
set interfaces dataplane dp0s4 vrrp vrrp-group 11 preempt 'true'

set interfaces dataplane dp0s5 vrrp vrrp-group 12 priority '200'
set interfaces dataplane dp0s5 vrrp vrrp-group 12 'rfc-compatibility'
set interfaces dataplane dp0s5 vrrp vrrp-group 12 sync-group 'sg1'
set interfaces dataplane dp0s5 vrrp vrrp-group 12 virtual-address '192.168.2.10'
set interfaces dataplane dp0s5 vrrp vrrp-group 12 advertise-interval '20'
set interfaces dataplane dp0s5 vrrp vrrp-group 12 preempt 'true'


4.New FW2 Prior-restoration to-be-set configuration (Example)
#if_firewall設定
set interfaces dataplane dp0s4 firewall in 'IN_Internet'
set interfaces dataplane dp0s4 firewall out 'ACCEPT'
set interfaces dataplane dp0s5 firewall in 'IN_LAN'
set interfaces dataplane dp0s5 firewall out 'ACCEPT'

#nat設定
set service nat destination rule 10 destination address '1.X.X.1'
set service nat destination rule 10 inbound-interface 'dp0s4'
set service nat destination rule 10 translation address '192.168.2.100'
set service nat source rule 10 outbound-interface 'dp0s4'
set service nat source rule 10 source address '192.168.0.0/16'
set service nat source rule 10 translation address 'masquerade'

#firewall設定
set security firewall global-state-policy 'icmp'
set security firewall global-state-policy 'tcp'
set security firewall global-state-policy 'udp'
set security firewall name IN_Internet default-action 'drop'
set security firewall name IN_Internet 'default-log'
set security firewall name IN_Internet rule 10 action 'accept'
set security firewall name IN_Internet rule 10 source address 192.168.1.11
set security firewall name IN_Internet rule 11 action 'accept'
set security firewall name IN_Internet rule 11 destination address '1.X.X.1'
set security firewall name IN_Internet rule 11 destination port '80'
set security firewall name IN_Internet rule 11 protocol 'tcp'
set security firewall name IN_LAN default-action 'drop'

set security firewall name IN_LAN 'default-log'
set security firewall name IN_LAN rule 10 action 'accept'
set security firewall name IN_LAN rule 10 source address 192.168.2.11
set security firewall name IN_LAN rule 11 action 'accept'
set security firewall name IN_LAN rule 11 source port '80'
set security firewall name IN_LAN rule 11 protocol 'tcp'
set security firewall name ACCEPT default-action 'accept'
set security firewall name ACCEPT rule 10 action 'accept'
set security firewall name ACCEPT rule 10 state 'enable'
set security firewall session-log icmp new    #ver4.2以降はプロトコル名の次にオプション名が必須のため要修正
set security firewall session-log tcp syn-sent    #ver4.2以降はプロトコル名の次にオプション名が必須のため要修正
set security firewall session-log udp new    #ver4.2以降はプロトコル名の次にオプション名が必須のため要修正

#system設定
set system host-name 'FW2'
set system time-zone 'Asia/Tokyo'

set system login user user-admin authentication plaintext-password xxx
set system login user user-read authentication plaintext-password xxx

Note

ver4.2R1S1以降のファイアウォールをご利用の方は、session-log設定をする際に
プロトコル名(icmp,tcp,udp等)の次にオプション名(new,syn-sent等)の追加設定が必須です。


5.Old FW2 To-be-set configuration for VRRP_disable (Example)
set interfaces dataplane dp0s4 vrrp vrrp-group 11 disable
set interfaces dataplane dp0s5 vrrp vrrp-group 12 disable


6.New FW2 To-be-set configuration for VRRP (Example)
set interfaces dataplane dp0s4 vrrp vrrp-group 11 priority '100'
set interfaces dataplane dp0s4 vrrp vrrp-group 11 'rfc-compatibility'
set interfaces dataplane dp0s4 vrrp vrrp-group 11 sync-group 'sg1'
set interfaces dataplane dp0s4 vrrp vrrp-group 11 virtual-address '192.168.1.10'
set interfaces dataplane dp0s4 vrrp vrrp-group 11 advertise-interval '20'
set interfaces dataplane dp0s4 vrrp vrrp-group 11 preempt 'true'

set interfaces dataplane dp0s5 vrrp vrrp-group 12 priority '100'
set interfaces dataplane dp0s5 vrrp vrrp-group 12 'rfc-compatibility'
set interfaces dataplane dp0s5 vrrp vrrp-group 12 sync-group 'sg1'
set interfaces dataplane dp0s5 vrrp vrrp-group 12 virtual-address '192.168.2.10'
set interfaces dataplane dp0s5 vrrp vrrp-group 12 advertise-interval '20'
set interfaces dataplane dp0s5 vrrp vrrp-group 12 preempt 'true'
7.New FW1 To-be-set configuration for switching (Example)
set interfaces dataplane dp0s4 vrrp vrrp-group 11 disable
set interfaces dataplane dp0s5 vrrp vrrp-group 12 disable
8.Old FW1 To-be-set configuration for switching (Example)
delete interfaces dataplane dp0s4 vrrp vrrp-group 11 disable
delete interfaces dataplane dp0s5 vrrp vrrp-group 12 disable