Switching between different versions (Pattern 1)

This section describes the procedure for switching the existing firewall (redundant configuration) to the new version of the firewall (redundant configuration). In the new version of the firewall, the IP address used in the old version of the firewall will not be inherited, but a different IP address will be set.
Operations have been checked by NTT Communications, in terms of the following combinations of versions.

Old version

New version

15.1X49-D105.1 19.2R1.8
19.2R1.8 20.4R2

System configuration to replace in this guide

This section describes how to replace the firewall (vSRX) based on the following system configuration.

image1_1.png

Prerequisites

  • Version upgrade is not possible, as described in the Service Descriptions.

  • The procedure is to switch from the old FW to the new FW by building VRRP with the old and new versions.

  • The customer is expected to check the functions with the new version beforehand.

  • Compared with pattern 2, this switching procedure shortens the switchback time required when switchback occurs.

  • Before and after switching from the old version to the new version, please check the operation of the firewall including whether it affects the communication of the customer system.

  • In this document, the Public IP is described as "203.0.113.1".

  • For this procedure, operations have been checked with the following settings made.

Settings of old FW1

#vrrp setting
set interfaces ge-0/0/1 unit 0 family inet address 10.0.10.101/24 vrrp-group 10 virtual-address 10.0.10.100
set interfaces ge-0/0/1 unit 0 family inet address 10.0.10.101/24 vrrp-group 10 priority 200
set interfaces ge-0/0/1 unit 0 family inet address 10.0.10.101/24 vrrp-group 10 preempt
set interfaces ge-0/0/1 unit 0 family inet address 10.0.10.101/24 vrrp-group 10 accept-data
set interfaces ge-0/0/2 unit 0 family inet address 192.168.1.101/24 vrrp-group 100 virtual-address 192.168.1.100
set interfaces ge-0/0/2 unit 0 family inet address 192.168.1.101/24 vrrp-group 100 priority 200
set interfaces ge-0/0/2 unit 0 family inet address 192.168.1.101/24 vrrp-group 100 preempt
set interfaces ge-0/0/2 unit 0 family inet address 192.168.1.101/24 vrrp-group 100 accept-data

#address-group setting
set security address-book global address SV01 192.168.1.11/32

#nat setting
set security nat source rule-set RULE from zone trust
set security nat source rule-set RULE to zone untrust
set security nat source rule-set RULE rule 10 match source-address 192.168.0.0/16
set security nat source rule-set RULE rule 10 then source-nat interface
set security nat destination pool POOL1 address 192.168.1.11/32
set security nat destination rule-set RULE from zone untrust
set security nat destination rule-set RULE rule 10 match destination-address 203.0.113.1/32
set security nat destination rule-set RULE rule 10 then destination-nat pool POOL1

#firewall setting
set security policies from-zone trust to-zone untrust policy rule_10 match source-address any
set security policies from-zone trust to-zone untrust policy rule_10 match destination-address any
set security policies from-zone trust to-zone untrust policy rule_10 match application HTTP_PING
set security policies from-zone trust to-zone untrust policy rule_10 then permit
set security policies from-zone trust to-zone untrust policy rule_10 then log session-init
set security policies from-zone trust to-zone untrust policy rule_10 then log session-close
set security policies from-zone untrust to-zone trust policy rule_10 match source-address any
set security policies from-zone untrust to-zone trust policy rule_10 match destination-address SV01
set security policies from-zone untrust to-zone trust policy rule_10 match application HTTP_PING
set security policies from-zone untrust to-zone trust policy rule_10 then permit
set security policies from-zone untrust to-zone trust policy rule_10 then log session-init
set security policies from-zone untrust to-zone trust policy rule_10 then log session-close

#zone setting
set security zones security-zone trust interfaces ge-0/0/2.0 host-inbound-traffic protocols vrrp
set security zones security-zone untrust interfaces ge-0/0/1.0 host-inbound-traffic protocols vrrp

#application-set setting
set applications application HTTP application-protocol http
set applications application PING protocol icmp
set applications application-set HTTP_PING application HTTP
set applications application-set HTTP_PING application PING

#system setting
set system host-name FW1
set system time-zone Asia/Tokyo

Settings of old FW2

#vrrp setting
set interfaces ge-0/0/1 unit 0 family inet address 10.0.10.102/24 vrrp-group 10 virtual-address 10.0.10.100
set interfaces ge-0/0/1 unit 0 family inet address 10.0.10.102/24 vrrp-group 10 priority 100
set interfaces ge-0/0/1 unit 0 family inet address 10.0.10.102/24 vrrp-group 10 preempt
set interfaces ge-0/0/1 unit 0 family inet address 10.0.10.102/24 vrrp-group 10 accept-data
set interfaces ge-0/0/2 unit 0 family inet address 192.168.1.102/24 vrrp-group 100 virtual-address 192.168.1.100
set interfaces ge-0/0/2 unit 0 family inet address 192.168.1.102/24 vrrp-group 100 priority 100
set interfaces ge-0/0/2 unit 0 family inet address 192.168.1.102/24 vrrp-group 100 preempt
set interfaces ge-0/0/2 unit 0 family inet address 192.168.1.102/24 vrrp-group 100 accept-data

#address-group setting
set security address-book global address SV01 192.168.1.11/32

#nat setting
set security nat source rule-set RULE from zone trust
set security nat source rule-set RULE to zone untrust
set security nat source rule-set RULE rule 10 match source-address 192.168.0.0/16
set security nat source rule-set RULE rule 10 then source-nat interface
set security nat destination pool POOL1 address 192.168.1.11/32
set security nat destination rule-set RULE from zone untrust
set security nat destination rule-set RULE rule 10 match destination-address 203.0.113.1/32
set security nat destination rule-set RULE rule 10 then destination-nat pool POOL1

#firewall setting
set security policies from-zone trust to-zone untrust policy rule_10 match source-address any
set security policies from-zone trust to-zone untrust policy rule_10 match destination-address any
set security policies from-zone trust to-zone untrust policy rule_10 match application HTTP_PING
set security policies from-zone trust to-zone untrust policy rule_10 then permit
set security policies from-zone trust to-zone untrust policy rule_10 then log session-init
set security policies from-zone trust to-zone untrust policy rule_10 then log session-close
set security policies from-zone untrust to-zone trust policy rule_10 match source-address any
set security policies from-zone untrust to-zone trust policy rule_10 match destination-address SV01
set security policies from-zone untrust to-zone trust policy rule_10 match application HTTP_PING
set security policies from-zone untrust to-zone trust policy rule_10 then permit
set security policies from-zone untrust to-zone trust policy rule_10 then log session-init
set security policies from-zone untrust to-zone trust policy rule_10 then log session-close

#zone setting
set security zones security-zone trust interfaces ge-0/0/2.0 host-inbound-traffic protocols vrrp
set security zones security-zone untrust interfaces ge-0/0/1.0 host-inbound-traffic protocols vrrp

#application-set setting
set applications application HTTP application-protocol http
set applications application PING protocol icmp
set applications application-set HTTP_PING application HTTP
set applications application-set HTTP_PING application PING

#system setting
set system host-name FW2
set system time-zone Asia/Tokyo

Switching image

An image of switching firewall (vSRX) is explained below.

1.It is a prerequisite that VRRP is running on Logical Network 1 and Logical Network 2, respectively.
image1_1.png
2.Create a new version firewall instance and connect to the logical network in the same way as the old version firewall instance.
At the same time, register the VRRP communication settings on the relevant interface from the ECL2.0 Customer Portal.
image1_2_3.png
3.Set the management interface with the new version of the firewall and transfer the configuration file prepared in advance.
image1_2_3.png
4.Make the same settings for the new version of the firewall as for the old version.
*Except VRRP settings
image1_2_3.png
5.Configure VRRP with the new version of the firewall and join VRRP running on the old version.
image1_4.png
6.Apply the prepared switching config to the new version of Firewall No.1 (new FW1) and switch the VRRP Master to the new FW1. Confirm that the switch is successful.
image1_5.png

Note

As a specification of vSRX, VRRP switching time requires about 4 seconds in addition to Advertise Interval x 3 times by default setting, so about 7 seconds (measured by ICMP communication) is required to complete traffic switching.

Note

After confirming that the communication via the new FW1 is stable, change the VRRP Priority value of the new version of Firewall Unit 2 (new FW2). Make sure that communication through the new version of the firewall is stable. If the communication via the new FW1 remains NG and does not recover, see "9. Failback Procedure" in this guide for the specific failback procedure.

image1_5_2.png
7.After confirming that the communication through the new version of the firewall is stable, delete the old version of the firewall.
image1_6.png
8.Set the VRRP Priority value of the new version firewall to the same value as the VRRP Priority value of the old version firewall.
9.If communication via the new version of the firewall remains NG and does not recover, perform failback.
image1_4.png

Work procedure

1.Prior confirmation

1-1. Saving the configuration of the old FW

1-1-1. Execute the following command to log in to the old version firewall (old FW1).

ubuntu@ubuntu:~$ ssh user@10.0.0.101
Password:
Last login: Fri Feb  7 16:07:30 2020 from 10.0.0.254
--- JUNOS 15.1X49-D105.1 built 2018-03-28 00:45:38 UTC

1-1-2. Execute the following command to check the VRRP status of the old FW1. Please confirm that the set VRRP State is displayed as MASTER/BACKUP and it matches the expected State.

user@FW1> show vrrp
Interface     State       Group   VR state VR Mode   Timer    Type   Address
ge-0/0/1.0    up             10   master   Active      A  15.236lcl    10.0.10.101
                                                                vip    10.0.10.100
ge-0/0/2.0    up            100   master   Active      A  1.739 lcl    192.168.1.101
                                                                vip    192.168.1.100

1-1-3. Save the settings.

(Save configuration referring to Save configuration_restore. )

Also, execute the following command below and save the output settings in a file.

user@FW1> show configulation | display set | no-more

Note

Use the saved configuration file to change the host name, IP address setting, VRRP setting, etc. according to your environment. In this procedure, the following changes have been made.

Also, since the configuration set by the service provider is a value unique to each instance, (Please refer to `Description of the configuration set by the service provider <https://ecl.ntt.com/documents/tutorials/rsts/vSRX/providerconfiguration/providerconfiguration.html> `_ and delete when saving. )

set system host-name FW3
set system time-zone Asia/Tokyo
set security address-book global address SV01 192.168.1.11/32
set security nat source rule-set RULE from zone trust
set security nat source rule-set RULE to zone untrust
set security nat source rule-set RULE rule 10 match source-address 192.168.0.0/16
set security nat source rule-set RULE rule 10 then source-nat interface
set security nat destination pool POOL1 address 192.168.1.11/32
set security nat destination rule-set RULE from zone untrust
set security nat destination rule-set RULE rule 10 match destination-address 203.0.113.1/32
set security nat destination rule-set RULE rule 10 then destination-nat pool POOL1
set security policies from-zone trust to-zone untrust policy rule_10 match source-address any
set security policies from-zone trust to-zone untrust policy rule_10 match destination-address any
set security policies from-zone trust to-zone untrust policy rule_10 match application HTTP_PING
set security policies from-zone trust to-zone untrust policy rule_10 then permit
set security policies from-zone trust to-zone untrust policy rule_10 then log session-init
set security policies from-zone trust to-zone untrust policy rule_10 then log session-close
set security policies from-zone untrust to-zone trust policy rule_10 match source-address any
set security policies from-zone untrust to-zone trust policy rule_10 match destination-address SV01
set security policies from-zone untrust to-zone trust policy rule_10 match application HTTP_PING
set security policies from-zone untrust to-zone trust policy rule_10 then permit
set security policies from-zone untrust to-zone trust policy rule_10 then log session-init
set security policies from-zone untrust to-zone trust policy rule_10 then log session-close
set security zones security-zone trust interfaces ge-0/0/2.0 host-inbound-traffic protocols vrrp
set security zones security-zone trust interfaces ge-0/0/3.0 host-inbound-traffic protocols vrrp
set interfaces ge-0/0/1 unit 0 family inet address 10.0.10.111/24
set interfaces ge-0/0/2 unit 0 family inet address 192.168.1.111/24
set applications application HTTP application-protocol http
set applications application PING protocol icmp
set applications application-set HTTP_PING application HTTP
set applications application-set HTTP_PING application PING

1-1-4. Execute the following command to log in to the old version firewall (old FW2).

ubuntu@ubuntu:~$ ssh user@10.0.0.102
Password:
Last login: Fri Feb  7 16:07:30 2020 from 10.0.0.254
--- JUNOS 15.1X49-D105.1 built 2018-03-28 00:45:38 UTC

1-1-5. Execute the following command to check the VRRP status of the old FW2. Please confirm that the set VRRP State is displayed as MASTER/BACKUP and it matches the expected State.

user@FW2> show vrrp
Interface     State       Group   VR state VR Mode   Timer    Type   Address
ge-0/0/1.0    up             10   backup   Active      D  55.187lcl    10.0.10.102
                                                                vip    10.0.10.100
                                                                mas    10.0.10.101
ge-0/0/2.0    up            100   backup   Active      D  44.710lcl    192.168.1.102
                                                                vip    192.168.1.100
                                                                mas    192.168.1.101

1-1-6. Save the settings.

(Save configuration referring to Save configuration_restore. )

Also, execute the following command below and save the output settings in a file.

user@FW2> show configulation | display set | no-more

Note

Use the saved configuration file to change the host name, IP address setting, VRRP setting, etc. according to your environment. In this procedure, the following changes have been made.

Also, since the configuration set by the service provider is a value unique to each instance, (Please refer to `Description of the configuration set by the service provider <https://ecl.ntt.com/documents/tutorials/rsts/vSRX/providerconfiguration/providerconfiguration.html> `_ and delete when saving. )

set system host-name FW4
set system time-zone Asia/Tokyo
set security address-book global address SV01 192.168.1.11/32
set security nat source rule-set RULE from zone trust
set security nat source rule-set RULE to zone untrust
set security nat source rule-set RULE rule 10 match source-address 192.168.0.0/16
set security nat source rule-set RULE rule 10 then source-nat interface
set security nat destination pool POOL1 address 192.168.1.11/32
set security nat destination rule-set RULE from zone untrust
set security nat destination rule-set RULE rule 10 match destination-address 203.0.113.1/32
set security nat destination rule-set RULE rule 10 then destination-nat pool POOL1
set security policies from-zone trust to-zone untrust policy rule_10 match source-address any
set security policies from-zone trust to-zone untrust policy rule_10 match destination-address any
set security policies from-zone trust to-zone untrust policy rule_10 match application HTTP_PING
set security policies from-zone trust to-zone untrust policy rule_10 then permit
set security policies from-zone trust to-zone untrust policy rule_10 then log session-init
set security policies from-zone trust to-zone untrust policy rule_10 then log session-close
set security policies from-zone untrust to-zone trust policy rule_10 match source-address any
set security policies from-zone untrust to-zone trust policy rule_10 match destination-address SV01
set security policies from-zone untrust to-zone trust policy rule_10 match application HTTP_PING
set security policies from-zone untrust to-zone trust policy rule_10 then permit
set security policies from-zone untrust to-zone trust policy rule_10 then log session-init
set security policies from-zone untrust to-zone trust policy rule_10 then log session-close
set security zones security-zone trust interfaces ge-0/0/2.0 host-inbound-traffic protocols vrrp
set security zones security-zone trust interfaces ge-0/0/3.0 host-inbound-traffic protocols vrrp
set interfaces ge-0/0/1 unit 0 family inet address 10.0.0.112/24
set interfaces ge-0/0/2 unit 0 family inet address 192.168.1.112/24
set applications application HTTP application-protocol http
set applications application PING protocol icmp
set applications application-set HTTP_PING application HTTP
set applications application-set HTTP_PING application PING

2.Creating a New FW

2-1.Creating new FW1

2-1-1. Create a new FW1 from ECL2.0 Customer Portal.

(Create a firewall by referring to How to apply for a firewall instance. )

Also, set the default gateway if necessary.

(Set the default gateway referring to `Default route setting <https://ecl.ntt.com/en/documents/tutorials/rsts/vSRX/network/default_route.html> `_. )

Note

  • The default gateway can be set with the customer portal only when Firewall is created.

  • Select the zone and group for which you want to create a firewall. Also, record the specified zone/group.

2-1-2. Connect the logical network to the created new FW1 from ECL2.0 Customer Portal.

(Connect the interface referring to How to apply from the customer portal. )

Note

All interfaces that need to be connected to the logical network are executed. Also, set the IP address of the interface to a different IP address from the firewall of the previous version, and set the virtual IP address for VRRP to the same IP address as the firewall of the previous version.

2-1-3. From the ECL2.0 Customer Portal, register the VRRP communication settings on the new FW1 interface.

(See VRRP communication setting registration , and register the VRRP communication settings.)

2-2. Creating new FW2

2-2-1. Create a new FW2 from ECL2.0 Customer Portal.

(See Firewall Instance Application , and create firewall.)

Note

  • The default gateway can be set with the customer portal only when Firewall is created.

  • For the zone/group selected when creating the new FW2, select a zone/group different from that of the new FW1.

2-2-2. Connect the logical network to the new FW2 created from the ECL2.0 Customer Portal.

(Connect the interface referring to How to apply from the customer portal. )

Note

All interfaces that need to be connected to the logical network are executed. Also, set the IP address of the interface to a different IP address from the firewall of the previous version, and set the virtual IP address for VRRP to the same IP address as the firewall of the previous version.

2-2-3. From the ECL2.0 Customer Portal, register the VRRP communication settings on the new FW2 interface.

(See VRRP communication setting registration , and register the VRRP communication settings.)

3.Save settings and transfer SCP

3-1. SCP transfer of the created config of new FW1

3-1-1. Execute the following command to log in to the new FW1.

ubuntu@ubuntu:~$ ssh user@10.0.0.111
Password:
Last login: Fri Feb  7 16:07:30 2020 from 10.0.0.254
--- JUNOS 15.1X49-D105.1 built 2018-03-28 00:45:38 UTC

3-1-2. Execute the following command to set the management IF for SCP connection.

user> configure
Entering configuration mode
[edit]
user# set security zones security-zone trust interfaces ge-0/0/0.0 host-inbound-traffic system-services ssh
user# set security zones security-zone trust interfaces ge-0/0/0.0 host-inbound-traffic system-services ping
user# set interfaces ge-0/0/0 unit 0 family inet address 10.0.0.111/24

3-1-3. Check the differences from the set configuration by executing the command below.

user# show | compare

Note

The SCP transfer destination directory (/var/home/user/) will be the one used at our verification. When you carry out this procedure, please transfer the configuration file according to your environment.

3-1-4. Execute the following command to reflect the settings and import the firewall config.

user# commit check
configuration check succeeds
user# commit
commit complete

3-1-5. Move the new FW1 settings config from the SCP transfer terminal.

[server ~]# scp /home/user/ChangeToDifferentVersion_PTN1_vSRX01.conf user@10.0.0.111:/var/home/user/

Note

At the time of our verification, the SCP file is transferred on the Linux terminal. When you carry out this procedure, please transfer the configuration file according to your environment.

3-1-6. Execute the following command to check the file obtained in the above procedure.

user> file show ?
Possible completions:
  <filename>           Filename to show
  ChangeToDifferentVersion_PTN1_vSRX01.conf  Size: 2345, Last changed: Feb 14 14:52:11
  encoding             Encode file contents
  rollback-config_20200207  Size: 6963, Last changed: Feb 07 11:15:12

user> file show ChangeToDifferentVersion_PTN1_vSRX01.conf | no-more
set system host-name FW3
set system time-zone Asia/Tokyo
set security address-book global address SV01 192.168.1.11/32
set security nat source rule-set RULE from zone trust
set security nat source rule-set RULE to zone untrust
set security nat source rule-set RULE rule 10 match source-address 192.168.0.0/16
set security nat source rule-set RULE rule 10 then source-nat interface
set security nat destination pool POOL1 address 192.168.1.11/32
set security nat destination rule-set RULE from zone untrust
set security nat destination rule-set RULE rule 10 match destination-address 203.0.113.1/32
set security nat destination rule-set RULE rule 10 then destination-nat pool POOL1
set security policies from-zone trust to-zone untrust policy rule_10 match source-address any
set security policies from-zone trust to-zone untrust policy rule_10 match destination-address any
set security policies from-zone trust to-zone untrust policy rule_10 match application HTTP_PING
set security policies from-zone trust to-zone untrust policy rule_10 then permit
set security policies from-zone trust to-zone untrust policy rule_10 then log session-init
set security policies from-zone trust to-zone untrust policy rule_10 then log session-close
set security policies from-zone untrust to-zone trust policy rule_10 match source-address any
set security policies from-zone untrust to-zone trust policy rule_10 match destination-address SV01
set security policies from-zone untrust to-zone trust policy rule_10 match application HTTP_PING
set security policies from-zone untrust to-zone trust policy rule_10 then permit
set security policies from-zone untrust to-zone trust policy rule_10 then log session-init
set security policies from-zone untrust to-zone trust policy rule_10 then log session-close
set security zones security-zone trust interfaces ge-0/0/2.0 host-inbound-traffic protocols vrrp
set security zones security-zone untrust interfaces ge-0/0/1.0 host-inbound-traffic protocols vrrp
set interfaces ge-0/0/1 unit 0 family inet address 10.0.10.111/24
set interfaces ge-0/0/2 unit 0 family inet address 192.168.1.111/24
set applications application HTTP application-protocol http
set applications application PING protocol icmp
set applications application-set HTTP_PING application HTTP
set applications application-set HTTP_PING application PING

3-2. SCP transfer of the created config of new FW2

3-2-1. Execute the following command to log in to the new FW2.

ubuntu@ubuntu:~$ ssh user@10.0.0.112
Password:
Last login: Fri Feb  7 16:07:30 2020 from 10.0.0.254
--- JUNOS 15.1X49-D105.1 built 2018-03-28 00:45:38 UTC

3-2-2. Execute the following command to set the management IF for SCP connection.

user> configure
Entering configuration mode
[edit]
user# set security zones security-zone trust interfaces ge-0/0/0.0 host-inbound-traffic system-services ssh
user# set security zones security-zone trust interfaces ge-0/0/0.0 host-inbound-traffic system-services ping
user# set interfaces ge-0/0/0 unit 0 family inet address 10.0.0.112/24

3-2-3. Check the differences from the set configuration by executing the command below.

user# show | compare

Note

The SCP transfer destination directory (/var/home/user/) will be the one used at our verification. When you carry out this procedure, please transfer the configuration file according to your environment.

3-2-4. Execute the following command to reflect the settings and import the firewall config.

user# commit check
configuration check succeeds
user# commit
commit complete

3-2-5. Move the new FW2 settings config from the SCP transfer terminal.

[server ~]# scp /home/user/ChangeToDifferentVersion_PTN1_vSRX02.conf user@10.0.0.112:/var/home/user/

Note

At the time of our verification, the SCP file is transferred on the Linux terminal. When you carry out this procedure, please transfer the configuration file according to your environment.

3-2-6. Execute the following command and check if the file obtained in the above procedure is saved correctly.

user> file show ?
Possible completions:
  <filename>           Filename to show
  ChangeToDifferentVersion_PTN1_vSRX02.conf  Size: 2345, Last changed: Feb 14 14:52:30
  PTN2_vSRX02-CONFIG.conf  Size: 2549, Last changed: Feb 12 14:15:52
  encoding             Encode file contents
  rollback-config_20200207  Size: 6963, Last changed: Feb 07 11:15:49

user> file show ChangeToDifferentVersion_PTN1_vSRX02.conf |no-more
set system host-name FW4
set system time-zone Asia/Tokyo
set security address-book global address SV01 192.168.1.11/32
set security nat source rule-set RULE from zone trust
set security nat source rule-set RULE to zone untrust
set security nat source rule-set RULE rule 10 match source-address 192.168.0.0/16
set security nat source rule-set RULE rule 10 then source-nat interface
set security nat destination pool POOL1 address 192.168.1.11/32
set security nat destination rule-set RULE from zone untrust
set security nat destination rule-set RULE rule 10 match destination-address 203.0.113.1/32
set security nat destination rule-set RULE rule 10 then destination-nat pool POOL1
set security policies from-zone trust to-zone untrust policy rule_10 match source-address any
set security policies from-zone trust to-zone untrust policy rule_10 match destination-address any
set security policies from-zone trust to-zone untrust policy rule_10 match application HTTP_PING
set security policies from-zone trust to-zone untrust policy rule_10 then permit
set security policies from-zone trust to-zone untrust policy rule_10 then log session-init
set security policies from-zone trust to-zone untrust policy rule_10 then log session-close
set security policies from-zone untrust to-zone trust policy rule_10 match source-address any
set security policies from-zone untrust to-zone trust policy rule_10 match destination-address SV01
set security policies from-zone untrust to-zone trust policy rule_10 match application HTTP_PING
set security policies from-zone untrust to-zone trust policy rule_10 then permit
set security policies from-zone untrust to-zone trust policy rule_10 then log session-init
set security policies from-zone untrust to-zone trust policy rule_10 then log session-close
set security zones security-zone trust interfaces ge-0/0/2.0 host-inbound-traffic protocols vrrp
set security zones security-zone untrust interfaces ge-0/0/1.0 host-inbound-traffic protocols vrrp
set interfaces ge-0/0/1 unit 0 family inet address 10.0.10.112/24
set interfaces ge-0/0/2 unit 0 family inet address 192.168.1.112/24
set applications application HTTP application-protocol http
set applications application PING protocol icmp
set applications application-set HTTP_PING application HTTP
set applications application-set HTTP_PING application PING

4.Input settings to new FW (except VRRP)

4-1. Restore the config to the new FW1.

4-1-1. Execute the following command to log in to the new FW1.

ubuntu@ubuntu:~$ ssh user@10.0.0.111
Password:
Last login: Fri Feb  7 16:07:30 2020 from 10.0.0.254
--- JUNOS 15.1X49-D105.1 built 2018-03-28 00:45:38 UTC

4-1-2. Execute the following command to enter the configuration mode, and when the prompt changes to #, load the loading config created from the backup of the old FW1.

(`Saving and restoring the configuration <https://ecl.ntt.com/documents/tutorials/rsts/vSRX/configuration/saverestore.html> Save/restore the configuration referring to `_. )

Note

Also, make sure that the contents of the configuration to be input have been modified for the new FW1. For details, see the description in 1-1-3.

user> configure
Entering configuration mode
[edit]
user# load set ChangeToDifferentVersion_PTN1_vSRX01.conf
load complete

4-1-3. Execute the following command and check the difference with the config that was input.

user# show | compare

Note

If there are many submitted configurations, check the result of show configuration | display set and the submitted configurations using a tool such as diff.

4-1-4. Execute the following command to reflect the settings and import the firewall config.

user# commit check
configuration check succeeds
user# commit
commit complete

4-2. Restore the config to the new FW2.

4-2-1. Execute the following command to log in to the new FW2.

ubuntu@ubuntu:~$ ssh user@10.0.0.112
Password:
Last login: Fri Feb  7 16:07:30 2020 from 10.0.0.254
--- JUNOS 15.1X49-D105.1 built 2018-03-28 00:45:38 UTC

4-2-2. Execute the following command to enter the configuration mode, and when the prompt changes to #, load the loading config created from the backup of the old FW2.

(`Saving and restoring the configuration <https://ecl.ntt.com/documents/tutorials/rsts/vSRX/configuration/saverestore.html> Save/restore the configuration referring to `_. )

Note

Also, make sure that the contents of the configuration to be input have been modified for the new FW2. For details, see the description in 1-1-7.

user> configure
Entering configuration mode
[edit]
user# load set ChangeToDifferentVersion_PTN1_vSRX02.conf
load complete

4-2-3. Execute the following command and check the difference with the config that was input.

user# show | compare

Note

If there are many submitted configurations, check the result of show configuration | display set and the submitted configurations using a tool such as diff.

4-2-4. Execute the following command to reflect the settings and import the firewall config.

user# commit check
configuration check succeeds
user# commit
commit complete

5.New FW VRRP settings added

5-1. Set VRRP of new FW1.

5-1-1. Execute the following command to log in to the new FW1.

ubuntu@ubuntu:~$ ssh user@10.0.0.111
Password:
Last login: Fri Feb  7 16:07:30 2020 from 10.0.0.254
--- JUNOS 15.1X49-D105.1 built 2018-03-28 00:45:38 UTC

5-1-2. To enter the configuration mode, execute the following command, and when the prompt changes to #, paste the VRRP setting and loading config.

#VRRP setting
user> configure
Entering configuration mode
[edit]
user@FW3# set interfaces ge-0/0/1 unit 0 family inet address 10.0.10.111/24 vrrp-group 10 virtual-address 10.0.10.100
user@FW3# set interfaces ge-0/0/1 unit 0 family inet address 10.0.10.111/24 vrrp-group 10 priority 50
user@FW3# set interfaces ge-0/0/1 unit 0 family inet address 10.0.10.111/24 vrrp-group 10 preempt
user@FW3# set interfaces ge-0/0/1 unit 0 family inet address 10.0.10.111/24 vrrp-group 10 accept-data
user@FW3# set interfaces ge-0/0/2 unit 0 family inet address 192.168.1.111/24 vrrp-group 100 virtual-address 192.168.1.100
user@FW3# set interfaces ge-0/0/2 unit 0 family inet address 192.168.1.111/24 vrrp-group 100 priority 50
user@FW3# set interfaces ge-0/0/2 unit 0 family inet address 192.168.1.111/24 vrrp-group 100 preempt
user@FW3# set interfaces ge-0/0/2 unit 0 family inet address 192.168.1.111/24 vrrp-group 100 accept-data

5-1-3. By executing the command below, check that the set configuration is shown as the difference.

user@FW3# show | compare

5-1-4. Execute the following command to reflect the settings and import the new FW1 config.

user@FW3# commit check
configuration check succeeds
user@FW3# commit
commit complete

5-1-5. Execute the following command to check the VRRP status of the firewall (new and old FW1,2).

user@FW3> show vrrp
Interface     State       Group   VR state VR Mode   Timer    Type   Address
ge-0/0/1.0    up             10   backup   Active      D  56.722lcl    10.0.10.111
                                                                vip    10.0.10.100
                                                                mas    10.0.10.101
ge-0/0/2.0    up            100   backup   Active      D  48.733lcl    192.168.1.111
                                                                vip    192.168.1.100
                                                                mas    192.168.1.101

5-2. Set VRRP of new FW2.

5-2-1. Execute the following command to log in to the new FW2.

ubuntu@ubuntu:~$ ssh user@10.0.0.112
Password:
Last login: Fri Feb  7 16:07:30 2020 from 10.0.0.254
--- JUNOS 15.1X49-D105.1 built 2018-03-28 00:45:38 UTC

5-2-2. In order to enter the configuration mode, execute the following command and when the prompt changes to #, paste the VRRP setting input configuration.

#VRRP setting
user> configure
Entering configuration mode
[edit]
user@FW4# set interfaces ge-0/0/1 unit 0 family inet address 10.0.10.112/24 vrrp-group 10 virtual-address 10.0.10.100
user@FW4# set interfaces ge-0/0/1 unit 0 family inet address 10.0.10.112/24 vrrp-group 10 priority 40
user@FW4# set interfaces ge-0/0/1 unit 0 family inet address 10.0.10.112/24 vrrp-group 10 preempt
user@FW4# set interfaces ge-0/0/1 unit 0 family inet address 10.0.10.112/24 vrrp-group 10 accept-data
user@FW4# set interfaces ge-0/0/2 unit 0 family inet address 192.168.1.112/24 vrrp-group 100 virtual-address 192.168.1.100
user@FW4# set interfaces ge-0/0/2 unit 0 family inet address 192.168.1.112/24 vrrp-group 100 priority 40
user@FW4# set interfaces ge-0/0/2 unit 0 family inet address 192.168.1.112/24 vrrp-group 100 preempt
user@FW4# set interfaces ge-0/0/2 unit 0 family inet address 192.168.1.112/24 vrrp-group 100 accept-data

5-2-3. Execute the following command and confirm that the config that has been set and input is displayed as a difference.

user@FW4# show | compare

5-2-4. Execute the following command to reflect the new FW2 settings.

user@FW4# commit check
configuration check succeeds
user@FW4# commit
commit complete

5-2-5. Execute the following command to check the VRRP status of the firewall (new and old FW1,2).

user@FW4> show vrrp
Interface     State       Group   VR state VR Mode   Timer    Type   Address
ge-0/0/1.0    up             10   backup   Active      D  58.078lcl    10.0.10.112
                                                                vip    10.0.10.100
                                                                mas    10.0.10.101
ge-0/0/2.0    up            100   backup   Active      D  57.727lcl    192.168.1.112
                                                                vip    192.168.1.100
                                                                mas    192.168.1.101

6.Switching FW

6-1. Change the Priority value of the new FW1.

6-1-1. Execute the following command to log in to the new FW1.

ubuntu@ubuntu:~$ ssh user@10.0.0.111
Password:
Last login: Fri Feb  7 16:07:30 2020 from 10.0.0.254
--- JUNOS 15.1X49-D105.1 built 2018-03-28 00:45:38 UTCs

6-1-2. To enter the configuration mode, execute the following command, and when the prompt changes to #, paste the VRRP switch-on configuration.

#VRRP設定
user> configure
Entering configuration mode
[edit]
user@FW3# set interfaces ge-0/0/1 unit 0 family inet address 10.0.10.111/24 vrrp-group 10 priority 250
user@FW3# set interfaces ge-0/0/2 unit 0 family inet address 192.168.1.111/24 vrrp-group 100 priority 250

6-1-3. Execute the following command and confirm that the config that has been set and displayed is displayed as a difference.

user@FW3# show | compare

6-1-4. Execute the following command to reflect the settings and import the new FW1 config.

user@FW3# commit check
configuration check succeeds
user@FW3# commit
commit complete

6-1-5. Execute the following command to check the VRRP status of the firewall (new and old FW1,2).

user@FW3> show vrrp
Interface     State       Group   VR state VR Mode   Timer    Type   Address
ge-0/0/1.0    up             10   master   Active      A  12.716lcl    10.0.10.111
                                                                vip    10.0.10.100
ge-0/0/2.0    up            100   master   Active      A  12.645lcl    192.168.1.111
                                                                vip    192.168.1.100

6-1-6. Please check the communication through the firewall (HTTP communication etc.)

Note

If the communication remains NG and does not return, a failback will be performed. (For the specific revertive procedure, please refer to 9. Revertive procedure in this guide.)

6-2. Change the Priority value of the new FW2.

6-2-1. Execute the following command to log in to the new FW2.

ubuntu@ubuntu:~$ ssh user@10.0.0.112
Password:
Last login: Fri Feb  7 16:07:30 2020 from 10.0.0.254
--- JUNOS 15.1X49-D105.1 built 2018-03-28 00:45:38 UTC

6-2-2. To enter the configuration mode, execute the following command, and when the prompt changes to #, paste the VRRP_switching-on configuration.

#VRRP設定
user> configure
Entering configuration mode
[edit]
user@FW4# set interfaces ge-0/0/1 unit 0 family inet address 10.0.10.112/24 vrrp-group 10 priority 240
user@FW4# set interfaces ge-0/0/2 unit 0 family inet address 192.168.1.112/24 vrrp-group 100 priority 240

6-2-3. Execute the following command and check that the config that has been set and displayed is displayed as a difference.

user@FW4# show | compare

6-2-4. Execute the following command to reflect the settings and import the new FW2 config.

user@FW4# commit check
configuration check succeeds
user@FW4# commit
commit complete

Note

As a specification of vSRX, VRRP switching time requires about 4 seconds in addition to Advertise Interval x 3 times by default setting, so about 7 seconds (measured by ICMP communication) is required to complete traffic switching.

6-2-5. Execute the following command to check the VRRP status of the firewall (new FW1,2).

user@FW4> show vrrp
Interface     State       Group   VR state VR Mode   Timer    Type   Address
ge-0/0/1.0    up             10   backup   Active      D  44.764lcl    10.0.10.112
                                                                vip    10.0.10.100
                                                                mas    10.0.10.111
ge-0/0/2.0    up            100   backup   Active      D  46.600lcl    192.168.1.112
                                                                vip    192.168.1.100
                                                                mas    192.168.1.111

6-2-6. Please check the communication through the firewall (HTTP communication etc.)

7.Delete old FW

*Perform this procedure after confirming that the communication after switching is stable.

7-1-1. From ECL2.0 Customer Portal, go to Network → Firewall to display the firewall list.

7-2-1. Delete old FW1 from ECL2.0 Customer Portal. | (Refer to the procedure for deleting the firewall instance and delete the firewall.)

Note

Please confirm again that the old FW1 to be deleted is correctly selected.

7-3-1. Delete the old FW2 from the ECL2.0 Customer Portal.

(See Firewall Instance Deletion , and delete the firewall.)

Note

Perform this work after confirming that the old FW1 has been deleted. Please check again if the old FW2 to be deleted is correctly selected.

Note

This completes the work procedure for normal execution.

Below is a description of the switchback procedure and an example of the input configuration.

8.Change Priority value of new FW

8-1. Change the Priority value of the new FW2 to the same value as the old FW2.

8-1-1. Execute the following command to log in to the new FW2.

ubuntu@ubuntu:~$ ssh user@10.0.0.112
Password:
Last login: Fri Feb  7 16:07:30 2020 from 10.0.0.254
--- JUNOS 15.1X49-D105.1 built 2018-03-28 00:45:38 UTC

8-1-2. To enter the configuration mode, execute the following command and when the prompt changes to #, paste the VRRP priority change configuration.

#VRRP setting
user> configure
Entering configuration mode
[edit]
user@FW4# set interfaces ge-0/0/1 unit 0 family inet address 10.0.10.112/24 vrrp-group 10 priority 100
user@FW4# set interfaces ge-0/0/2 unit 0 family inet address 192.168.1.112/24 vrrp-group 100 priority 100

8-1-3. Execute the following command and confirm that the config that has been set and displayed is displayed as a difference.

user@FW4# show | compare

8-1-4. Execute the following command to reflect the setting and import the new FW2 config.

user@FW4# commit check
configuration check succeeds
user@FW4# commit
commit complete

Note

As a specification of vSRX, VRRP switching time requires about 4 seconds in addition to Advertise Interval x 3 times by default setting, so about 7 seconds (measured by ICMP communication) is required to complete traffic switching.

8-1-5. Execute the following command to check the VRRP status of the firewall (new FW1,2).

user@FW4> show vrrp
Interface     State       Group   VR state VR Mode   Timer    Type   Address
ge-0/0/1.0    up             10   backup   Active      D  44.764lcl    10.0.10.112
                                                                vip    10.0.10.100
                                                                mas    10.0.10.111
ge-0/0/2.0    up            100   backup   Active      D  46.600lcl    192.168.1.112
                                                                vip    192.168.1.100
                                                                mas    192.168.1.111

8-1-6. Please check the communication through the firewall (HTTP communication etc.)

8-2. Change the Priority value of the new FW1 to the same value as the old FW1.

8-2-1. Execute the following command to log in to the new FW1.

ubuntu@ubuntu:~$ ssh user@10.0.0.111
Password:
Last login: Fri Feb  7 16:07:30 2020 from 10.0.0.254
--- JUNOS 15.1X49-D105.1 built 2018-03-28 00:45:38 UTCs

8-2-2. In order to enter the configuration mode, execute the following command and when the prompt changes to #, paste the VRRP Priority change input configuration.

#VRRP setting
user> configure
Entering configuration mode
[edit]
user@FW3# set interfaces ge-0/0/1 unit 0 family inet address 10.0.10.111/24 vrrp-group 10 priority 200
user@FW3# set interfaces ge-0/0/2 unit 0 family inet address 192.168.1.111/24 vrrp-group 100 priority 200

8-2-3. Execute the following command and confirm that the config that has been set and displayed is displayed as a difference.

user@FW3# show | compare

8-2-4. Execute the following command to reflect the settings and import the new FW1 config.

user@FW3# commit check
configuration check succeeds
user@FW3# commit
commit complete

8-2-5. Execute the following command to check the VRRP status of the firewall (new FW1,2).

user@FW3> show vrrp
Interface     State       Group   VR state VR Mode   Timer    Type   Address
ge-0/0/1.0    up             10   master   Active      A  12.716lcl    10.0.10.111
                                                                vip    10.0.10.100
ge-0/0/2.0    up            100   master   Active      A  12.645lcl    192.168.1.111
                                                                vip    192.168.1.100

8-2-6. Please check the communication through the firewall (HTTP communication etc.)

9.Switchback procedure

9-1. Set VRRP of new FW1.

9-1-1. Execute the following command to log in to the new FW1.

ubuntu@ubuntu:~$ ssh user@10.0.0.111
Password:
Last login: Fri Feb  7 16:07:30 2020 from 10.0.0.254
--- JUNOS 15.1X49-D105.1 built 2018-03-28 00:45:38 UTCs

9-1-2. To enter the configuration mode, execute the following command, and when the prompt changes to #, paste the new FW1 failback configuration.

user> configure
Entering configuration mode
[edit]
user@FW3# set interfaces ge-0/0/1 unit 0 family inet address 10.0.10.111/24 vrrp-group 10 priority 50
user@FW3# set interfaces ge-0/0/2 unit 0 family inet address 192.168.1.111/24 vrrp-group 100 priority 50

9-1-3. Execute the following command and confirm that the config that has been set and displayed is displayed as a difference.

user@FW4# show | compare

9-1-4. Execute the following command to reflect the new FW1 settings.

user@FW3# commit check
configuration check succeeds
user@FW3# commit
commit complete

9-1-5. Execute the following command to check the VRRP status of the firewall (new and old FW1,2).

user@FW3> show vrrp
Interface     State       Group   VR state VR Mode   Timer    Type   Address
ge-0/0/1.0    up             10   backup   Active      D  56.722lcl    10.0.10.111
                                                                vip    10.0.10.100
                                                                mas    10.0.10.101
ge-0/0/2.0    up            100   backup   Active      D  48.733lcl    192.168.1.111
                                                                vip    192.168.1.100
                                                                mas    192.168.1.101

9-1-6. Check the communication through the firewall. (HTTP communication, etc.)