Switching between different versions (Pattern 2)

This section describes the procedure for switching the existing firewall (redundant configuration) to the new version of the firewall (redundant configuration). In the new version of the firewall, this is the switching method that takes over the IP address used in the old version of the firewall and sets the same IP address.
Operations have been checked by NTT Communications, in terms of the following combinations of versions.

Old version

New version

15.1X49-D105.1 19.2R1.8
19.2R1.8 20.4R2

System configuration to replace in this guide

This section describes how to replace the firewall (vSRX) based on the following system configuration.

image2_1.png

Prerequisites

  • Version upgrade is not possible, as described in the Service Descriptions.

  • The procedure is to switch from the old FW to the new FW by building VRRP with the old and new versions.

  • Customers should check the functions of the new version in advance.

  • Compared with pattern 1, this switching procedure requires a longer switchback time when a switchback occurs.

  • Compared with pattern 1, this switching procedure requires connection and disconnection of the interface, so the time required for failback will be longer if a failback occurs.

  • Before and after switching from the old version to the new version, please check the operation of the firewall including whether it affects the communication of the customer system.

  • In this document, the Public IP is described as "203.0.113.1".

  • For this procedure, operations have been checked with the following settings made.

Settings of old FW1

#vrrp setting
set interfaces ge-0/0/1 unit 0 family inet address 10.0.10.101/24 vrrp-group 10 virtual-address 10.0.10.100
set interfaces ge-0/0/1 unit 0 family inet address 10.0.10.101/24 vrrp-group 10 priority 200
set interfaces ge-0/0/1 unit 0 family inet address 10.0.10.101/24 vrrp-group 10 preempt
set interfaces ge-0/0/1 unit 0 family inet address 10.0.10.101/24 vrrp-group 10 accept-data
set interfaces ge-0/0/2 unit 0 family inet address 192.168.1.101/24 vrrp-group 100 virtual-address 192.168.1.100
set interfaces ge-0/0/2 unit 0 family inet address 192.168.1.101/24 vrrp-group 100 priority 200
set interfaces ge-0/0/2 unit 0 family inet address 192.168.1.101/24 vrrp-group 100 preempt
set interfaces ge-0/0/2 unit 0 family inet address 192.168.1.101/24 vrrp-group 100 accept-data

#address-group setting
set security address-book global address SV01 192.168.1.11/32

#nat setting
set security nat source rule-set RULE from zone trust
set security nat source rule-set RULE to zone untrust
set security nat source rule-set RULE rule 10 match source-address 192.168.0.0/16
set security nat source rule-set RULE rule 10 then source-nat interface
set security nat destination pool POOL1 address 192.168.1.11/32
set security nat destination rule-set RULE from zone untrust
set security nat destination rule-set RULE rule 10 match destination-address 203.0.113.1/32
set security nat destination rule-set RULE rule 10 then destination-nat pool POOL1

#firewall setting
set security policies from-zone trust to-zone untrust policy rule_10 match source-address any
set security policies from-zone trust to-zone untrust policy rule_10 match destination-address any
set security policies from-zone trust to-zone untrust policy rule_10 match application HTTP_PING
set security policies from-zone trust to-zone untrust policy rule_10 then permit
set security policies from-zone trust to-zone untrust policy rule_10 then log session-init
set security policies from-zone trust to-zone untrust policy rule_10 then log session-close
set security policies from-zone untrust to-zone trust policy rule_10 match source-address any
set security policies from-zone untrust to-zone trust policy rule_10 match destination-address SV01
set security policies from-zone untrust to-zone trust policy rule_10 match application HTTP_PING
set security policies from-zone untrust to-zone trust policy rule_10 then permit
set security policies from-zone untrust to-zone trust policy rule_10 then log session-init
set security policies from-zone untrust to-zone trust policy rule_10 then log session-close

#zone setting
set security zones security-zone trust interfaces ge-0/0/2.0 host-inbound-traffic protocols vrrp
set security zones security-zone untrust interfaces ge-0/0/1.0 host-inbound-traffic protocols vrrp

#application-set setting
set applications application HTTP application-protocol http
set applications application PING protocol icmp
set applications application-set HTTP_PING application HTTP
set applications application-set HTTP_PING application PING

#system setting
set system host-name FW1
set system time-zone Asia/Tokyo

Settings of old FW2

#vrrp setting
set interfaces ge-0/0/1 unit 0 family inet address 10.0.10.102/24 vrrp-group 10 virtual-address 10.0.10.100
set interfaces ge-0/0/1 unit 0 family inet address 10.0.10.102/24 vrrp-group 10 priority 100
set interfaces ge-0/0/1 unit 0 family inet address 10.0.10.102/24 vrrp-group 10 preempt
set interfaces ge-0/0/1 unit 0 family inet address 10.0.10.102/24 vrrp-group 10 accept-data
set interfaces ge-0/0/2 unit 0 family inet address 192.168.1.102/24 vrrp-group 100 virtual-address 192.168.1.100
set interfaces ge-0/0/2 unit 0 family inet address 192.168.1.102/24 vrrp-group 100 priority 100
set interfaces ge-0/0/2 unit 0 family inet address 192.168.1.102/24 vrrp-group 100 preempt
set interfaces ge-0/0/2 unit 0 family inet address 192.168.1.102/24 vrrp-group 100 accept-data


#address-group setting
set security address-book global address SV01 192.168.1.11/32

#nat setting
set security nat source rule-set RULE from zone trust
set security nat source rule-set RULE to zone untrust
set security nat source rule-set RULE rule 10 match source-address 192.168.0.0/16
set security nat source rule-set RULE rule 10 then source-nat interface
set security nat destination pool POOL1 address 192.168.1.11/32
set security nat destination rule-set RULE from zone untrust
set security nat destination rule-set RULE rule 10 match destination-address 203.0.113.1/32
set security nat destination rule-set RULE rule 10 then destination-nat pool POOL1

#firewall setting
set security policies from-zone trust to-zone untrust policy rule_10 match source-address an
set security policies from-zone trust to-zone untrust policy rule_10 match destination-addre
set security policies from-zone trust to-zone untrust policy rule_10 match application HTTP_
set security policies from-zone trust to-zone untrust policy rule_10 then permit
set security policies from-zone trust to-zone untrust policy rule_10 then log session-init
set security policies from-zone trust to-zone untrust policy rule_10 then log session-close
set security policies from-zone untrust to-zone trust policy rule_10 match source-address an
set security policies from-zone untrust to-zone trust policy rule_10 match destination-addre
set security policies from-zone untrust to-zone trust policy rule_10 match application HTTP_
set security policies from-zone untrust to-zone trust policy rule_10 then permit
set security policies from-zone untrust to-zone trust policy rule_10 then log session-init
set security policies from-zone untrust to-zone trust policy rule_10 then log session-close

#zone setting
set security zones security-zone trust interfaces ge-0/0/2.0 host-inbound-traffic protocols vrrp
set security zones security-zone untrust interfaces ge-0/0/1.0 host-inbound-traffic protocols vrrp

#application-set setting
set applications application HTTP application-protocol http
set applications application PING protocol icmp
set applications application-set HTTP_PING application HTTP
set applications application-set HTTP_PING application PING

#system setting
set system host-name FW2
set system time-zone Asia/Tokyo

Switching image

An image of switching firewall (vSRX) is explained below.

1.It is a prerequisite that you have set VRRP for Logical Network 1 and Logical Network 2, respectively.
image2_1.png
2.Create a new version of the firewall instance. At this point, only the management interface will be connected to the logical network.
*Interfaces other than the management interface are not connected to the logical network.
image2_2.png
3.Set the management interface with the new version of the firewall and transfer the configuration file prepared in advance.
image2_2.png
4.Disconnect the interface using the old version of the firewall (old FW2).
image2_3.png
5.Use the new version of firewall (new FW2) to connect the interface and register the VRRP communication settings. Make the same settings for the new version of the firewall as for the old version.
*Except VRRP settings
image2_4.png
6.Set the VRRP of the new version of the firewall and join the VRRP set by the old version.
image2_4-2.png
7.Apply the switching config prepared in advance to the new FW2, and switch the VRRP Master from the old version firewall (old FW1) to the new FW2. Confirm that the switch is successful.
image2_5.png

Note

As a specification of vSRX, VRRP switching time requires about 4 seconds in addition to Advertise Interval x 3 times by default, so about 7 seconds (measured by ICMP communication) is required to complete traffic switching. If the communication via the new FW2 is NG and it does not recover, please refer to "13. Failback procedure" in this guide for the specific failback procedure.

8.If there is no problem in communication, disconnect the interface with the old FW1.
image2_5-2.png
9.Connect the interface and register the VRRP communication settings with the new version of the firewall (new FW1),
Make the same settings for the new version of the firewall as for the old version.
*Except VRRP settings
image2_6.png
10.Set the VRRP of the new version firewall and join the VRRP set in the new FW2.
image2_6-2.png
11.Apply the previously prepared switching config to the new FW1 and switch the VRRP Master from the new FW2 to the new FW1. Confirm that the switch is successful.
image2_7.png

Note

As a specification of vSRX, VRRP switching time requires about 4 seconds in addition to Advertise Interval x 3 times by default, so about 7 seconds (measured by ICMP communication) is required to complete traffic switching.

12.After confirming that the communication via the new FW1 is stable, delete the old version firewall instance (old FW1,2).
image2_8.png
13.If communication through the new version of the firewall remains NG and does not recover, perform failback.
image2_4-2.png

The new FW2 will disconnect the interface.

image2_3.png

Perform interface connection on the old FW2, set VRRP of the old version firewall, and join VRRP set on the old FW1.

image2_2.png

Work procedure

1.Prior confirmation

1-1.Saving the configuration of old FW1

1-1-1. Execute the following command to log in to the old FW1.

ubuntu@ubuntu:~$ ssh user@10.0.0.101
Password:
Last login: Wed Feb 12 15:16:33 2020 from 10.0.0.254
--- JUNOS 15.1X49-D105.1 built 2018-03-28 00:45:38 UTC

1-1-2. Execute the following command to check the VRRP status of the old FW1. Please confirm that the set VRRP State is displayed as MASTER/BACKUP and it matches the expected State.

user@FW1> show vrrp
Interface     State       Group   VR state VR Mode   Timer    Type   Address
ge-0/0/1.0    up             10   master   Active      A  8.893 lcl    10.0.10.101
                                                                vip    10.0.10.100
ge-0/0/2.0    up            100   master   Active      A  10.864lcl    192.168.1.101
                                                                vip    192.168.1.100

1-1-3. Save the settings.

(Save configuration referring to Save configuration_restore. )

Also, execute the following command below and save the output settings in a file.

user@FW1> show configulation | display set | no-more

Note

Use the saved configuration file to change the host name, IP address setting, VRRP setting, etc. according to your environment. In this procedure, the following changes have been made.

set system host-name FW3
set system time-zone Asia/Tokyo
set security address-book global address SV01 192.168.1.11/32
set security nat source rule-set RULE from zone trust
set security nat source rule-set RULE to zone untrust
set security nat source rule-set RULE rule 10 match source-address 192.168.0.0/16
set security nat source rule-set RULE rule 10 then source-nat interface
set security nat destination pool POOL1 address 192.168.1.11/32
set security nat destination rule-set RULE from zone untrust
set security nat destination rule-set RULE rule 10 match destination-address 203.0.113.1/32
set security nat destination rule-set RULE rule 10 then destination-nat pool POOL1
set security policies from-zone trust to-zone untrust policy rule_10 match source-address any
set security policies from-zone trust to-zone untrust policy rule_10 match destination-address any
set security policies from-zone trust to-zone untrust policy rule_10 match application HTTP_PING
set security policies from-zone trust to-zone untrust policy rule_10 then permit
set security policies from-zone trust to-zone untrust policy rule_10 then log session-init
set security policies from-zone trust to-zone untrust policy rule_10 then log session-close
set security policies from-zone untrust to-zone trust policy rule_10 match source-address any
set security policies from-zone untrust to-zone trust policy rule_10 match destination-address SV01
set security policies from-zone untrust to-zone trust policy rule_10 match application HTTP_PING
set security policies from-zone untrust to-zone trust policy rule_10 then permit
set security policies from-zone untrust to-zone trust policy rule_10 then log session-init
set security policies from-zone untrust to-zone trust policy rule_10 then log session-close
set security zones security-zone trust interfaces ge-0/0/2.0 host-inbound-traffic protocols vrrp
set security zones security-zone untrust interfaces ge-0/0/1.0 host-inbound-traffic protocols vrrp
set interfaces ge-0/0/1 unit 0 family inet address 10.0.10.101/24
set interfaces ge-0/0/2 unit 0 family inet address 192.168.1.101/24
set applications application HTTP application-protocol http
set applications application PING protocol icmp
set applications application-set HTTP_PING application HTTP
set applications application-set HTTP_PING application PING

1-2. Saving the configuration of old FW2

1-2-1. Execute the following command to log in to the old FW2.

ubuntu@ubuntu:~$ ssh user@10.0.0.102
Password:
Last login: Wed Feb 12 15:17:26 2020 from 10.0.0.254
--- JUNOS 15.1X49-D105.1 built 2018-03-28 00:45:38 UTC

1-2-2. Execute the following command to check the VRRP status of the old FW2. Please confirm that the set VRRP State is displayed as MASTER/BACKUP and it matches the expected State.

user@FW2> show vrrp
Interface     State       Group   VR state VR Mode   Timer    Type   Address
ge-0/0/1.0    up             10   backup   Active      D  59.186lcl    10.0.10.102
                                                                vip    10.0.10.100
                                                                mas    10.0.10.101
ge-0/0/2.0    up            100   backup   Active      D  60.251lcl    192.168.1.102
                                                                vip    192.168.1.100
                                                                mas    192.168.1.101

1-2-3. Save the settings.

(Save configuration referring to Save configuration_restore. )

Also, execute the following command below and save the output settings in a file.

user@FW2> show configulation | display set | no-more

Note

Use the saved configuration file to change the host name, IP address setting, VRRP setting, etc. according to your environment. In this procedure, the following changes have been made.

Also, since the configuration set by the service provider is a value unique to each instance, (Please refer to `Description of the configuration set by the service provider <https://ecl.ntt.com/documents/tutorials/rsts/vSRX/providerconfiguration/providerconfiguration.html> `_ and delete when saving. )

set system host-name FW4
set system time-zone Asia/Tokyo
set security address-book global address SV01 192.168.1.11/32
set security nat source rule-set RULE from zone trust
set security nat source rule-set RULE to zone untrust
set security nat source rule-set RULE rule 10 match source-address 192.168.0.0/16
set security nat source rule-set RULE rule 10 then source-nat interface
set security nat destination pool POOL1 address 192.168.1.11/32
set security nat destination rule-set RULE from zone untrust
set security nat destination rule-set RULE rule 10 match destination-address 203.0.113.1/32
set security nat destination rule-set RULE rule 10 then destination-nat pool POOL1
set security policies from-zone trust to-zone untrust policy rule_10 match source-address any
set security policies from-zone trust to-zone untrust policy rule_10 match destination-address any
set security policies from-zone trust to-zone untrust policy rule_10 match application HTTP_PING
set security policies from-zone trust to-zone untrust policy rule_10 then permit
set security policies from-zone trust to-zone untrust policy rule_10 then log session-init
set security policies from-zone trust to-zone untrust policy rule_10 then log session-close
set security policies from-zone untrust to-zone trust policy rule_10 match source-address any
set security policies from-zone untrust to-zone trust policy rule_10 match destination-address SV01
set security policies from-zone untrust to-zone trust policy rule_10 match application HTTP_PING
set security policies from-zone untrust to-zone trust policy rule_10 then permit
set security policies from-zone untrust to-zone trust policy rule_10 then log session-init
set security policies from-zone untrust to-zone trust policy rule_10 then log session-close
set security zones security-zone trust interfaces ge-0/0/2.0 host-inbound-traffic protocols vrrp
set security zones security-zone untrust interfaces ge-0/0/1.0 host-inbound-traffic protocols vrrp
set interfaces ge-0/0/1 unit 0 family inet address 10.0.10.102/24
set interfaces ge-0/0/2 unit 0 family inet address 192.168.1.102/24
set applications application HTTP application-protocol http
set applications application PING protocol icmp
set applications application-set HTTP_PING application HTTP
set applications application-set HTTP_PING application PING

2.Creating a New FW

2-1. Create new FW1

2-1-1. Create a new FW1 from ECL2.0 Customer Portal.

(Create a firewall by referring to How to apply for a firewall instance. )

Also, set the default gateway if necessary.

(Set the default gateway referring to `Default route setting <https://ecl.ntt.com/en/documents/tutorials/rsts/vSRX/network/default_route.html> `_. )

Note

  • The default gateway can be set with the customer portal only when Firewall is created.

  • Select the zone and group for which you want to create a firewall. Also, record the specified zone/group.

2-1-2. From the ECL2.0 Customer Portal, connect the created new FW1 ge-0/0/0.0 and the Logical Network.

(Connect the interface referring to How to apply from the customer portal. )

Note

In order to connect to the management IF in "3. Save settings and transfer SCP" in this guide, connect only the management IF (here ge-0/0/0.0 is used).

2-2. Creating new FW2

2-2-1. Create a new FW2 from ECL2.0 Customer Portal.

(See Firewall Instance Application , and create firewall.)

Also, set the default gateway if necessary.

(Set the default gateway referring to `Default route setting <https://ecl.ntt.com/en/documents/tutorials/rsts/vSRX/network/default_route.html> `_. )

Note

  • The default gateway can be set with the customer portal only when Firewall is created.

  • For the zone/group selected when creating the new FW2, select a zone/group different from that of the new FW1.

2-2-2. From the ECL2.0 Customer Portal, connect the created new FW2 ge-0/0/0.0 and the Logical Network.

(Connect the interface referring to How to apply from the customer portal. )

Note

In order to connect to the management IF in "3. Save settings and transfer SCP" in this guide, connect only the management IF (here ge-0/0/0.0 is used).

3.Save settings and transfer SCP

3-1. SCP transfer of the created config of new FW1

3-1-1. Connect the console to the new FW1.

Note

In this procedure, 10.0.0.111 is registered as the management address when creating vSRX.

3-1-2. Execute the following command to set the management IF for SCP connection.

user> configure
Entering configuration mode
[edit]
user# set security zones security-zone trust interfaces ge-0/0/0.0 host-inbound-traffic system-services ssh
user# set security zones security-zone trust interfaces ge-0/0/0.0 host-inbound-traffic system-services ping
user# set interfaces ge-0/0/0 unit 0 family inet address 10.0.0.111/24

3-1-3. By executing the command below, confirm the set up configuration appears as differences.

user# show | compare

3-1-4. Execute the following command to reflect the setting.

user# commit check
configuration check succeeds
user# commit
commit complete

3-1-5. Execute the following command on the vSRX peripheral device to move the file to vSRX with SCP.

[server ~]# scp /home/user/ChangeToDifferentVersion_PTN2_vSRX01.conf user@10.0.0.111:/var/home/user/

Note

At the time of our verification, the SCP file is transferred on the Linux terminal. When the customer performs this procedure, transfer the configuration file such as the SCP transfer destination directory (/var/home/user/) according to the customer&#39;s environment.

3-1-6. After connecting to vSRX again, execute the following command to check the moved file with SCP.

user> file show ?
Possible completions:
  <filename>           Filename to show
  PTN1-loadset_20200207  Size: 4683, Last changed: Feb 07 08:41:42
  ChangeToDifferentVersion_PTN2_vSRX01.conf  Size: 2549, Last changed: Feb 12 05:16:08
  encoding             Encode file contents
  rollback-config_20200207  Size: 6963, Last changed: Feb 07 02:15:12
user> file show       ChangeToDifferentVersion_PTN2_vSRX01.conf
set system host-name FW3
set system time-zone Asia/Tokyo
set security address-book global address SV01 192.168.1.11/32
set security nat source rule-set RULE from zone trust
set security nat source rule-set RULE to zone untrust
set security nat source rule-set RULE rule 10 match source-address 192.168.0.0/16
set security nat source rule-set RULE rule 10 then source-nat interface
set security nat destination pool POOL1 address 192.168.1.11/32
set security nat destination rule-set RULE from zone untrust
set security nat destination rule-set RULE rule 10 match destination-address 203.0.113.1/32
set security nat destination rule-set RULE rule 10 then destination-nat pool POOL1
set security policies from-zone trust to-zone untrust policy rule_10 match source-address any
set security policies from-zone trust to-zone untrust policy rule_10 match destination-address any
set security policies from-zone trust to-zone untrust policy rule_10 match application HTTP_PING
set security policies from-zone trust to-zone untrust policy rule_10 then permit
set security policies from-zone trust to-zone untrust policy rule_10 then log session-init
set security policies from-zone trust to-zone untrust policy rule_10 then log session-close
set security policies from-zone untrust to-zone trust policy rule_10 match source-address any
set security policies from-zone untrust to-zone trust policy rule_10 match destination-address SV01
set security policies from-zone untrust to-zone trust policy rule_10 match application HTTP_PING
set security policies from-zone untrust to-zone trust policy rule_10 then permit
set security policies from-zone untrust to-zone trust policy rule_10 then log session-init
set security policies from-zone untrust to-zone trust policy rule_10 then log session-close
set security zones security-zone trust interfaces ge-0/0/2.0 host-inbound-traffic protocols vrrp
set security zones security-zone untrust interfaces ge-0/0/1.0 host-inbound-traffic protocols vrrp
set interfaces ge-0/0/1 unit 0 family inet address 10.0.10.101/24
set interfaces ge-0/0/2 unit 0 family inet address 192.168.1.101/24
set applications application HTTP application-protocol http
set applications application PING protocol icmp
set applications application-set HTTP_PING application HTTP
set applications application-set HTTP_PING application PING

3-2. SCP transfer of the created config of new FW2

3-2-1. Connect the console to the new FW2.

Note

In this procedure, 10.0.0.112 is registered as the management address when creating vSRX.

3-2-2. Execute the following command to set the management IF for SCP connection.

user> configure
Entering configuration mode
[edit]
user# set security zones security-zone trust interfaces ge-0/0/0.0 host-inbound-traffic system-services ssh
user# set security zones security-zone trust interfaces ge-0/0/0.0 host-inbound-traffic system-services ping
user# set interfaces ge-0/0/0 unit 0 family inet address 10.0.0.112/24

3-2-3. Execute the following command and confirm that the config that has been set and displayed is displayed as a difference.

user@FW4# show | compare

3-2-4. Execute the following command to reflect the setting.

user# commit check
configuration check succeeds
user# commit
commit complete

3-2-5. Execute the following command on the vSRX peripheral device and move the file to vSRX by SCP.

[server ~]# scp /home/user/ChangeToDifferentVersion_PTN2_vSRX02.conf user@10.0.0.112:/var/home/user/

Note

At the time of our verification, the SCP file is transferred on the Linux terminal. When the customer performs this procedure, transfer the configuration file such as the SCP transfer destination directory (/var/home/user/) according to the customer&#39;s environment.

3-2-6. After connecting to vSRX again, execute the following command to check the moved file with SCP.

user> file show ?
Possible completions:
 <filename>           Filename to show
 ChangeToDifferentVersion_PTN2_vSRX02.conf  Size: 2549, Last changed: Feb 12 05:15:52
 encoding             Encode file contents
 rollback-config_20200207  Size: 6963, Last changed: Feb 07 02:15:49
user> file show     ChangeToDifferentVersion_PTN2_vSRX02.conf
set system host-name FW4
set system time-zone Asia/Tokyo
set security address-book global address SV01 192.168.1.11/32
set security nat source rule-set RULE from zone trust
set security nat source rule-set RULE to zone untrust
set security nat source rule-set RULE rule 10 match source-address 192.168.0.0/16
set security nat source rule-set RULE rule 10 then source-nat interface
set security nat destination pool POOL1 address 192.168.1.11/32
set security nat destination rule-set RULE from zone untrust
set security nat destination rule-set RULE rule 10 match destination-address 203.0.113.1/32
set security nat destination rule-set RULE rule 10 then destination-nat pool POOL1
set security policies from-zone trust to-zone untrust policy rule_10 match source-address any
set security policies from-zone trust to-zone untrust policy rule_10 match destination-address any
set security policies from-zone trust to-zone untrust policy rule_10 match application HTTP_PING
set security policies from-zone trust to-zone untrust policy rule_10 then permit
set security policies from-zone trust to-zone untrust policy rule_10 then log session-init
set security policies from-zone trust to-zone untrust policy rule_10 then log session-close
set security policies from-zone untrust to-zone trust policy rule_10 match source-address any
set security policies from-zone untrust to-zone trust policy rule_10 match destination-address SV01
set security policies from-zone untrust to-zone trust policy rule_10 match application HTTP_PING
set security policies from-zone untrust to-zone trust policy rule_10 then permit
set security policies from-zone untrust to-zone trust policy rule_10 then log session-init
set security policies from-zone untrust to-zone trust policy rule_10 then log session-close
set security zones security-zone trust interfaces ge-0/0/2.0 host-inbound-traffic protocols vrrp
set security zones security-zone untrust interfaces ge-0/0/1.0 host-inbound-traffic protocols vrrp
set interfaces ge-0/0/1 unit 0 family inet address 10.0.10.102/24
set interfaces ge-0/0/2 unit 0 family inet address 192.168.1.102/24
set applications application HTTP application-protocol http
set applications application PING protocol icmp
set applications application-set HTTP_PING application HTTP
set applications application-set HTTP_PING application PING

4.Disconnect the interface of the old FW2

Note

After the work, the redundant configuration of the firewall is released and the firewall operates in the single configuration.

4-1. Disconnect the old FW2 from the logical network.

4-1-1. From the ECL2.0 Customer Portal, cancel the communication settings for VRRP using the interface of the old FW2.

(Please cancel the registration of VRRP communication setting referring to `Register the communication settings for VRRP <https://ecl.ntt.com/documents/tutorials/rsts/Firewall/instance/vrrp.html> `_. )

4-1-2. Disconnect the old FW2 from the logical network from the ECL2.0 Customer Portal.

(Please disconnect the interface referring to `How to apply from the customer portal <https://ecl.ntt.com/documents/tutorials/rsts/Firewall/instance/> `_. )

5.Connection of new FW2 and setting input

5-1. Connect the new FW.

5-1-1. Connect the Logical Network to the created new FW2 from ECL2.0 Customer Portal.

(Connect the interface referring to How to apply from the customer portal. )

Note

All interfaces that need to be connected to the logical network are executed. Also, set the IP address of the interface with the same address as the address of the old FW, and set the virtual IP address for VRRP with the same IP address as the old FW.

5-1-2. From the ECL2.0 Customer Portal, register the communication settings for VRRP on the interface of the new FW2 on the relevant interface.

(See VRRP communication setting registration , and register the VRRP communication settings.)

5-2. Input the settings to the new FW.

5-2-1. Execute the following command to log in to the new FW2.

ubuntu@ubuntu:~$ ssh user@10.0.0.112
Password:
Last login: Wed Feb 12 07:43:43 2020 from 10.0.0.254
--- JUNOS 19.2R1.8 Kernel 64-bit  JNPR-11.0-20190517.f0321c3_buil

5-2-2. Execute the following command to enter the configuration mode, and when the prompt changes to #, load the loading config created from the backup of the old FW2.

(`Saving and restoring the configuration <https://ecl.ntt.com/documents/tutorials/rsts/vSRX/configuration/saverestore.html> Save/restore the configuration referring to `_. )

Note

Please confirm that the contents of the configuration to be input have been modified for the new FW2.

user> configure
Entering configuration mode
[edit]
user# load set ChangeToDifferentVirsion_PTN2_vSRX02.conf
|load complete
[edit]

5-2-3. Execute the following command and check the difference with the config that was set.

user# show | compare

Note

If there are many submitted configurations, check the result of show configuration | display set and the submitted configurations using a tool such as diff.

5-2-4. Execute the following command to reflect the settings and import the new FW2 config.

user# commit check
configuration check succeeds
user# commit
commit complete

6.New FW VRRP settings added

6-1. Set VRRP of new FW2.

6-1-1. Execute the following command to log in to the new FW2.

ubuntu@ubuntu:~$ ssh user@10.0.0.112
Password:
Last login: Fri Feb  7 16:07:30 2020 from 10.0.0.254
--- JUNOS 15.1X49-D105.1 built 2018-03-28 00:45:38 UTC

6-1-2. To enter the configuration mode, execute the following command, and when the prompt changes to #, paste the VRRP setting input configuration.

#VRRP setting
user@FW4> configure
Entering configuration mode
[edit]
user@FW4# set interfaces ge-0/0/1 unit 0 family inet address 10.0.10.102/24 vrrp-group 10 virtual-address 10.0.10.100
user@FW4# set interfaces ge-0/0/1 unit 0 family inet address 10.0.10.102/24 vrrp-group 10 priority 100
user@FW4# set interfaces ge-0/0/1 unit 0 family inet address 10.0.10.102/24 vrrp-group 10 preempt
user@FW4# set interfaces ge-0/0/1 unit 0 family inet address 10.0.10.102/24 vrrp-group 10 accept-data
user@FW4# set interfaces ge-0/0/2 unit 0 family inet address 192.168.1.102/24 vrrp-group 100 virtual-address 192.168.1.100
user@FW4# set interfaces ge-0/0/2 unit 0 family inet address 192.168.1.102/24 vrrp-group 100 priority 100
user@FW4# set interfaces ge-0/0/2 unit 0 family inet address 192.168.1.102/24 vrrp-group 100 preempt
user@FW4# set interfaces ge-0/0/2 unit 0 family inet address 192.168.1.102/24 vrrp-group 100 accept-data

6-1-3. Execute the following command and confirm that the config that has been set and displayed is displayed as a difference.

user@FW4# show | compare

6-1-4. Execute the following command to reflect the new FW2 settings.

user@FW4# commit check
configuration check succeeds
user@FW4# commit
commit complete

6-1-5. Execute the following command to check the VRRP status of the firewall (old FW1, new FW2).

user@FW1> show vrrp
Interface     State       Group   VR state VR Mode   Timer    Type   Address
ge-0/0/1.0    up             10   master   Active      A  2.621 lcl    10.0.10.101
                                                                vip    10.0.10.100
ge-0/0/2.0    up            100   master   Active      A  14.442lcl    192.168.1.101
                                                                vip    192.168.1.100

user@FW4> show vrrp
Interface     State       Group   VR state VR Mode   Timer    Type   Address
ge-0/0/1.0    up             10   backup   Active      D  55.385lcl    10.0.10.102
                                                                vip    10.0.10.100
                                                                mas    10.0.10.101
ge-0/0/2.0    up            100   backup   Active      D  48.355lcl    192.168.1.102
                                                                vip    192.168.1.100
                                                                mas    192.168.1.101

7.Switching FW

7-1. Change the Priority of the old FW1.

7-1-1. Execute the following command to log in to the old FW1.

ubuntu@ubuntu:~$ ssh user@10.0.0.101
Password:
Last login: Wed Feb 12 16:59:20 2020 from 10.0.0.254
--- JUNOS 15.1X49-D105.1 built 2018-03-28 00:45:38 UTC

7-1-2. Execute the following command to check the VRRP status of the firewall (old FW1, new 2).

user@FW1> show vrrp
Interface     State       Group   VR state VR Mode   Timer    Type   Address
ge-0/0/1.0    up             10   master   Active      A  16.776lcl    10.0.10.101
                                                                vip    10.0.10.100
ge-0/0/2.0    up            100   master   Active      A  8.133 lcl    192.168.1.101
                                                                vip    192.168.1.100

7-1-3. To enter the configuration mode, execute the following command, and when the prompt changes to #, paste the VRRP switch-on configuration.

#VRRP設定
user@FW1> configure
Entering configuration mode
[edit]
user@FW1#set interfaces ge-0/0/1 unit 0 family inet address 10.0.10.101/24 vrrp-group 10 priority 50
user@FW1#set interfaces ge-0/0/2 unit 0 family inet address 192.168.1.101/24 vrrp-group 100 priority 50

7-1-4. Execute the following command and check that the config that has been set and displayed is displayed as a difference.

user@FW1# show | compare

7-1-5. Execute the following command to reflect the setting and import the old FW1 config.

user@FW1# commit check
configuration check succeeds
user@FW1# commit
commit complete

Note

As a specification of vSRX, VRRP switching time requires about 4 seconds in addition to Advertise Interval x 3 times by default, so about 7 seconds (measured by ICMP communication) is required to complete traffic switching.

7-1-6. Execute the following command to check the VRRP status of the firewall (old FW1, new FW2).

user@FW1> show vrrp
Interface     State       Group   VR state VR Mode   Timer    Type   Address
ge-0/0/1.0    up             10   backup   Active      D  47.035lcl    10.0.10.101
                                                                vip    10.0.10.100
                                                                mas    10.0.10.102
ge-0/0/2.0    up            100   backup   Active      D  46.588lcl    192.168.1.101
                                                                vip    192.168.1.100
                                                                mas    192.168.1.102

user@FW4> show vrrp
Interface     State       Group   VR state VR Mode   Timer    Type   Address
ge-0/0/1.0    up             10   master   Active      A  3.097 lcl    10.0.10.102
                                                                vip    10.0.10.100
ge-0/0/2.0    up            100   master   Active      A  0.262 lcl    192.168.1.102
                                                                vip    192.168.1.100

7-1-7. Please check the communication through the firewall (HTTP communication etc.)

Note

If the communication remains NG and does not return, a failback will be performed. (For the specific revertive procedure, see 13. Revertive procedure in this guide.)

8.Disconnection of old FW1

Note

After the work, the redundant configuration of the firewall is released and the firewall operates in the single configuration.

8-1. Disconnect the connection with the old FW1 Logical Network.

8-1-1. From ECL2.0 Customer Portal, disconnect the logical network to the created old FW1.

(`How to apply from the customer portal <https://ecl.ntt.com/documents/tutorials/rsts/Firewall/instance/> Please disconnect the interface referring to `_. )

8-1-2. From the ECL2.0 Customer Portal, cancel the VRRP communication settings for the new FW1 interface.

(Please cancel the registration of VRRP communication setting referring to `Register the communication settings for VRRP <https://ecl.ntt.com/documents/tutorials/rsts/Firewall/instance/vrrp.html> `_. )

9.Connection of new FW1 and setting input

9-1. Connect the new FW.

9-1-1. Connect Logical Network to the new FW1 created from ECL2.0 Customer Portal.

(Connect the interface referring to How to apply from the customer portal. )

Note

All interfaces that need to be connected to the logical network are executed. Also, set the IP address of the interface with the same address as the address of the old FW, and set the virtual IP address for VRRP with the same IP address as the old FW.

9-1-2. From the ECL2.0 Customer Portal, register the VRRP communication settings on the interface of the new FW1 to the relevant interface.

(See VRRP communication setting registration , and register the VRRP communication settings.)

9-2. Input settings to new FW.

9-2-1. Execute the following command to log in to the new FW1.

ubuntu@ubuntu:~$ ssh user@10.0.0.111
Password:
Last login: Fri Feb  7 16:07:30 2020 from 10.0.0.254
--- JUNOS 15.1X49-D105.1 built 2018-03-28 00:45:38 UTC

9-2-2. Execute the following command to enter the configuration mode, and when the prompt changes to #, load the loading config created from the backup of the old FW1.

(`Saving and restoring the configuration <https://ecl.ntt.com/documents/tutorials/rsts/vSRX/configuration/saverestore.html> Save/restore the configuration referring to `_. )

Note

Please confirm that the contents of the configuration to be input have been modified for the new FW1.

user> configure
Entering configuration mode
[edit]
user# load set ChangeToDifferentVirsion_PTN2_vSRX01.conf
load complete

9-2-3. Execute the following command and check the difference with the config that was input.

user# show | compare

Note

If there are many submitted configurations, check the result of show configuration | display set and the submitted configurations using a tool such as diff.

9-2-4. Execute the following command to reflect the settings and import the firewall config.

user# commit check
configuration check succeeds
user# commit
commit complete

10.New FW VRRP settings added

10-1. Set VRRP of new FW1.

10-1-1. Execute the following command to log in to the new FW1.

ubuntu@ubuntu:~$ ssh user@10.0.0.111
Password:
Last login: Fri Feb  7 16:07:30 2020 from 10.0.0.254
--- JUNOS 15.1X49-D105.1 built 2018-03-28 00:45:38 UTC

10-1-2. To enter the configuration mode, execute the following command, and when the prompt changes to #, paste the VRRP setting input configuration.

#VRRP setting
user@FW3> configure
Entering configuration mode
[edit]
user@FW3# set interfaces ge-0/0/1 unit 0 family inet address 10.0.10.101/24 vrrp-group 10 virtual-address 10.0.10.100
user@FW3# set interfaces ge-0/0/1 unit 0 family inet address 10.0.10.101/24 vrrp-group 10 priority 50
user@FW3# set interfaces ge-0/0/1 unit 0 family inet address 10.0.10.101/24 vrrp-group 10 preempt
user@FW3# set interfaces ge-0/0/1 unit 0 family inet address 10.0.10.101/24 vrrp-group 10 accept-data
user@FW3# set interfaces ge-0/0/2 unit 0 family inet address 192.168.1.101/24 vrrp-group 100 virtual-address 192.168.1.100
user@FW3# set interfaces ge-0/0/2 unit 0 family inet address 192.168.1.101/24 vrrp-group 100 priority 50
user@FW3# set interfaces ge-0/0/2 unit 0 family inet address 192.168.1.101/24 vrrp-group 100 preempt
user@FW3# set interfaces ge-0/0/2 unit 0 family inet address 192.168.1.101/24 vrrp-group 100 accept-data

10-1-3. Execute the following command and confirm that the config that has been set and displayed is displayed as a difference.

user@FW3# show | compare

10-1-4. Execute the following command to reflect the settings and import the new FW1 config.

user@FW3# commit check
configuration check succeeds
user@FW3# commit
commit complete

10-1-5. Execute the following command to check the VRRP status of the firewall (new FW1,2).

user@FW3> show vrrp
Interface     State       Group   VR state VR Mode   Timer    Type   Address
ge-0/0/1.0    up             10   backup   Active      D  56.216lcl    10.0.10.101
                                                                vip    10.0.10.100
                                                                mas    10.0.10.102
ge-0/0/2.0    up            100   backup   Active      D  57.452lcl    192.168.1.101
                                                                vip    192.168.1.100
                                                                mas    192.168.1.102

user@FW4> show vrrp
Interface     State       Group   VR state VR Mode   Timer    Type   Address
ge-0/0/1.0    up             10   master   Active      A  3.260 lcl    10.0.10.102
                                                                vip    10.0.10.100
ge-0/0/2.0    up            100   master   Active      A  16.428lcl    192.168.1.102
                                                                vip    192.168.1.100

11.Switching FW

11-1. Change the Priority of new FW1.

11-1-1. Execute the following command to log in to the new FW1.

ubuntu@ubuntu:~$ ssh user@10.0.0.111
Password:
Last login: Fri Feb  7 16:07:30 2020 from 10.0.0.254
--- JUNOS 15.1X49-D105.1 built 2018-03-28 00:45:38 UTCs

11-1-2. To enter the configuration mode, execute the following command and when the prompt changes to #, paste the VRRP switch-on configuration.

#VRRP setting
user@FW3> configure
Entering configuration mode
[edit]
user@FW3# set interfaces ge-0/0/1 unit 0 family inet address 10.0.10.101/24 vrrp-group 10 priority 200
user@FW3# set interfaces ge-0/0/2 unit 0 family inet address 192.168.1.101/24 vrrp-group 100 priority 200

11-1-3. Execute the following command and confirm that the config that has been set and input is displayed as a difference.

user@FW3# show | compare

11-1-4. Execute the following command to reflect the settings and import the new FW1 config.

user@FW3# commit check
configuration check succeeds
user@FW3# commit
commit complete

11-1-5. Execute the following command to check the VRRP status of the firewall (new FW1,2).

user@FW3> show vrrp
Interface     State       Group   VR state VR Mode   Timer    Type   Address
ge-0/0/1.0    up             10   master   Active      A  4.333 lcl    10.0.10.101
                                                                vip    10.0.10.100
ge-0/0/2.0    up            100   master   Active      A  0.555 lcl    192.168.1.101
                                                                vip    192.168.1.100

user@FW4> show vrrp
Interface     State       Group   VR state VR Mode   Timer    Type   Address
ge-0/0/1.0    up             10   backup   Active      D  56.716lcl    10.0.10.102
                                                                vip    10.0.10.100
                                                                mas    10.0.10.101
ge-0/0/2.0    up            100   backup   Active      D  52.935lcl    192.168.1.102
                                                                vip    192.168.1.100
                                                                mas    192.168.1.101

11-1-6. Please check the communication through the firewall (HTTP communication etc.)

12.Delete old FW

**Perform this procedure after confirming that the communication after switching is stable. **

12-1. From the ECL2.0 Customer Portal, go to Network → Firewall and display the list of firewalls.

12-2. Delete the firewall (formerly FW1) from the ECL2.0 Customer Portal.

(See Firewall Instance Deletion , and delete the firewall.)

Note

Check again whether the firewall (formerly FW1) to be deleted is correctly selected.

12-3. Delete the firewall (formerly FW2) from the ECL2.0 Customer Portal.

(See Firewall Instance Deletion , and delete the firewall.)

Note

Perform this work after confirming that the old FW1 has been deleted. Please check again whether the firewall (old FW2) to be deleted is correctly selected.

Note

This completes the work procedure for normal execution.

Below is a description of the switchback procedure and an example of the input configuration.

13.Switchback procedure

13-1. Change the Priority of the old FW1.

13-1-1. Execute the following command to log in to the old FW1.

ubuntu@ubuntu:~$ ssh user@10.0.0.101
Password:
Last login: Fri Feb  7 16:07:30 2020 from 10.0.0.254
--- JUNOS 15.1X49-D105.1 built 2018-03-28 00:45:38 UTCs

13-1-2. To enter the configuration mode, execute the following command and when the prompt changes to #, paste the VRRP failback fail-on configuration.

user> configure
Entering configuration mode
[edit]
user@FW1# set interfaces ge-0/0/1 unit 0 family inet address 10.0.10.101/24 vrrp-group 10 priority 200
user@FW1# set interfaces ge-0/0/2 unit 0 family inet address 192.168.1.101/24 vrrp-group 100 priority 200

13-1-3. Execute the following command and confirm that the config that has been set and displayed is displayed as a difference.

user@FW1# show | compare

13-1-4. Execute the following command to reflect the setting and import the old FW1 config.

user@FW1# commit check
configuration check succeeds
user@FW1# commit
commit complete

13-1-5. Execute the following command to check the VRRP status of the firewall (old FW1, new FW2).

user@FW1> show vrrp
Interface     State       Group   VR state VR Mode   Timer    Type   Address
ge-0/0/1.0    up             10   master   Active      A  8.893 lcl    10.0.10.101
                                                                vip    10.0.10.100
ge-0/0/2.0    up            100   master   Active      A  10.864lcl    192.168.1.101
                                                                vip    192.168.1.100

user@FW4> show vrrp
Interface     State       Group   VR state VR Mode   Timer    Type   Address
ge-0/0/1.0    up             10   backup   Active      D  56.716lcl    10.0.10.102
                                                                vip    10.0.10.100
                                                                mas    10.0.10.101
ge-0/0/2.0    up            100   backup   Active      D  52.935lcl    192.168.1.102
                                                                vip    192.168.1.100
                                                                mas    192.168.1.101

13-1-6. Please check the communication through the firewall (HTTP communication etc.)

Note

Communication via VRRP is restored.

13-2. Disconnect the interface of new FW2.

Note

After the work, the redundant configuration of the firewall is released and the firewall operates in the single configuration.

13-2-1. Disconnect the new FW2 from the logical network.

13-2-2. From the ECL2.0 Customer Portal, cancel the VRRP communication settings on the new FW2 interface.

(Please cancel the registration of VRRP communication setting referring to `Register the communication settings for VRRP <https://ecl.ntt.com/documents/tutorials/rsts/Firewall/instance/vrrp.html> `_. )

13-2-3. Disconnect the new FW2 from the Logical Network from the ECL2.0 Customer Portal.

(Please disconnect the interface referring to `How to apply from the customer portal <https://ecl.ntt.com/documents/tutorials/rsts/Firewall/instance/> `_. )

13-3. Connect the old FW2.

13-3-1. Connect the logical network to the old FW2 from the ECL2.0 Customer Portal.

(Connect the interface referring to How to apply from the customer portal. )

Note

Repeat the procedure for all interfaces to be connected with the logical network.

13-3-2. From the ECL2.0 Customer Portal, register the VRRP communication settings on the interface of the old FW2 for the relevant interface.

(See VRRP communication setting registration , and register the VRRP communication settings.)

13-3-3. Execute the following command to check the VRRP status of the firewall (old FW1, new FW2).

user@FW1> show vrrp
Interface     State       Group   VR state VR Mode   Timer    Type   Address
ge-0/0/1.0    up             10   master   Active      A  8.893 lcl    10.0.10.101
                                                                vip    10.0.10.100
ge-0/0/2.0    up            100   master   Active      A  10.864lcl    192.168.1.101
                                                                vip    192.168.1.100

user@FW2> show vrrp
Interface     State       Group   VR state VR Mode   Timer    Type   Address
ge-0/0/1.0    up             10   backup   Active      D  59.186lcl    10.0.10.102
                                                                vip    10.0.10.100
                                                                mas    10.0.10.101
ge-0/0/2.0    up            100   backup   Active      D  60.251lcl    192.168.1.102
                                                                vip    192.168.1.100
                                                                mas    192.168.1.101

13-3-4. Please check the communication through the firewall (HTTP communication etc.)