Switching between different versions (Pattern 2)¶
Old version |
New version |
| 15.1X49-D105.1 | 19.2R1.8 |
| 19.2R1.8 | 20.4R2 |
System configuration to replace in this guide¶
This section describes how to replace the firewall (vSRX) based on the following system configuration.
Prerequisites¶
Version upgrade is not possible, as described in the Service Descriptions.
The procedure is to switch from the old FW to the new FW by building VRRP with the old and new versions.
Customers should check the functions of the new version in advance.
Compared with pattern 1, this switching procedure requires a longer switchback time when a switchback occurs.
Compared with pattern 1, this switching procedure requires connection and disconnection of the interface, so the time required for failback will be longer if a failback occurs.
Before and after switching from the old version to the new version, please check the operation of the firewall including whether it affects the communication of the customer system.
In this document, the Public IP is described as "203.0.113.1".
For this procedure, operations have been checked with the following settings made.
Settings of old FW1
#vrrp setting
set interfaces ge-0/0/1 unit 0 family inet address 10.0.10.101/24 vrrp-group 10 virtual-address 10.0.10.100
set interfaces ge-0/0/1 unit 0 family inet address 10.0.10.101/24 vrrp-group 10 priority 200
set interfaces ge-0/0/1 unit 0 family inet address 10.0.10.101/24 vrrp-group 10 preempt
set interfaces ge-0/0/1 unit 0 family inet address 10.0.10.101/24 vrrp-group 10 accept-data
set interfaces ge-0/0/2 unit 0 family inet address 192.168.1.101/24 vrrp-group 100 virtual-address 192.168.1.100
set interfaces ge-0/0/2 unit 0 family inet address 192.168.1.101/24 vrrp-group 100 priority 200
set interfaces ge-0/0/2 unit 0 family inet address 192.168.1.101/24 vrrp-group 100 preempt
set interfaces ge-0/0/2 unit 0 family inet address 192.168.1.101/24 vrrp-group 100 accept-data
#address-group setting
set security address-book global address SV01 192.168.1.11/32
#nat setting
set security nat source rule-set RULE from zone trust
set security nat source rule-set RULE to zone untrust
set security nat source rule-set RULE rule 10 match source-address 192.168.0.0/16
set security nat source rule-set RULE rule 10 then source-nat interface
set security nat destination pool POOL1 address 192.168.1.11/32
set security nat destination rule-set RULE from zone untrust
set security nat destination rule-set RULE rule 10 match destination-address 203.0.113.1/32
set security nat destination rule-set RULE rule 10 then destination-nat pool POOL1
#firewall setting
set security policies from-zone trust to-zone untrust policy rule_10 match source-address any
set security policies from-zone trust to-zone untrust policy rule_10 match destination-address any
set security policies from-zone trust to-zone untrust policy rule_10 match application HTTP_PING
set security policies from-zone trust to-zone untrust policy rule_10 then permit
set security policies from-zone trust to-zone untrust policy rule_10 then log session-init
set security policies from-zone trust to-zone untrust policy rule_10 then log session-close
set security policies from-zone untrust to-zone trust policy rule_10 match source-address any
set security policies from-zone untrust to-zone trust policy rule_10 match destination-address SV01
set security policies from-zone untrust to-zone trust policy rule_10 match application HTTP_PING
set security policies from-zone untrust to-zone trust policy rule_10 then permit
set security policies from-zone untrust to-zone trust policy rule_10 then log session-init
set security policies from-zone untrust to-zone trust policy rule_10 then log session-close
#zone setting
set security zones security-zone trust interfaces ge-0/0/2.0 host-inbound-traffic protocols vrrp
set security zones security-zone untrust interfaces ge-0/0/1.0 host-inbound-traffic protocols vrrp
#application-set setting
set applications application HTTP application-protocol http
set applications application PING protocol icmp
set applications application-set HTTP_PING application HTTP
set applications application-set HTTP_PING application PING
#system setting
set system host-name FW1
set system time-zone Asia/Tokyo
Settings of old FW2
#vrrp setting
set interfaces ge-0/0/1 unit 0 family inet address 10.0.10.102/24 vrrp-group 10 virtual-address 10.0.10.100
set interfaces ge-0/0/1 unit 0 family inet address 10.0.10.102/24 vrrp-group 10 priority 100
set interfaces ge-0/0/1 unit 0 family inet address 10.0.10.102/24 vrrp-group 10 preempt
set interfaces ge-0/0/1 unit 0 family inet address 10.0.10.102/24 vrrp-group 10 accept-data
set interfaces ge-0/0/2 unit 0 family inet address 192.168.1.102/24 vrrp-group 100 virtual-address 192.168.1.100
set interfaces ge-0/0/2 unit 0 family inet address 192.168.1.102/24 vrrp-group 100 priority 100
set interfaces ge-0/0/2 unit 0 family inet address 192.168.1.102/24 vrrp-group 100 preempt
set interfaces ge-0/0/2 unit 0 family inet address 192.168.1.102/24 vrrp-group 100 accept-data
#address-group setting
set security address-book global address SV01 192.168.1.11/32
#nat setting
set security nat source rule-set RULE from zone trust
set security nat source rule-set RULE to zone untrust
set security nat source rule-set RULE rule 10 match source-address 192.168.0.0/16
set security nat source rule-set RULE rule 10 then source-nat interface
set security nat destination pool POOL1 address 192.168.1.11/32
set security nat destination rule-set RULE from zone untrust
set security nat destination rule-set RULE rule 10 match destination-address 203.0.113.1/32
set security nat destination rule-set RULE rule 10 then destination-nat pool POOL1
#firewall setting
set security policies from-zone trust to-zone untrust policy rule_10 match source-address an
set security policies from-zone trust to-zone untrust policy rule_10 match destination-addre
set security policies from-zone trust to-zone untrust policy rule_10 match application HTTP_
set security policies from-zone trust to-zone untrust policy rule_10 then permit
set security policies from-zone trust to-zone untrust policy rule_10 then log session-init
set security policies from-zone trust to-zone untrust policy rule_10 then log session-close
set security policies from-zone untrust to-zone trust policy rule_10 match source-address an
set security policies from-zone untrust to-zone trust policy rule_10 match destination-addre
set security policies from-zone untrust to-zone trust policy rule_10 match application HTTP_
set security policies from-zone untrust to-zone trust policy rule_10 then permit
set security policies from-zone untrust to-zone trust policy rule_10 then log session-init
set security policies from-zone untrust to-zone trust policy rule_10 then log session-close
#zone setting
set security zones security-zone trust interfaces ge-0/0/2.0 host-inbound-traffic protocols vrrp
set security zones security-zone untrust interfaces ge-0/0/1.0 host-inbound-traffic protocols vrrp
#application-set setting
set applications application HTTP application-protocol http
set applications application PING protocol icmp
set applications application-set HTTP_PING application HTTP
set applications application-set HTTP_PING application PING
#system setting
set system host-name FW2
set system time-zone Asia/Tokyo
Switching image¶
An image of switching firewall (vSRX) is explained below.
Note
As a specification of vSRX, VRRP switching time requires about 4 seconds in addition to Advertise Interval x 3 times by default, so about 7 seconds (measured by ICMP communication) is required to complete traffic switching. If the communication via the new FW2 is NG and it does not recover, please refer to "13. Failback procedure" in this guide for the specific failback procedure.
Note
As a specification of vSRX, VRRP switching time requires about 4 seconds in addition to Advertise Interval x 3 times by default, so about 7 seconds (measured by ICMP communication) is required to complete traffic switching.
The new FW2 will disconnect the interface.
Perform interface connection on the old FW2, set VRRP of the old version firewall, and join VRRP set on the old FW1.
Work procedure¶
1.Prior confirmation¶
1-1.Saving the configuration of old FW1
1-1-1. Execute the following command to log in to the old FW1.
ubuntu@ubuntu:~$ ssh user@10.0.0.101
Password:
Last login: Wed Feb 12 15:16:33 2020 from 10.0.0.254
--- JUNOS 15.1X49-D105.1 built 2018-03-28 00:45:38 UTC
1-1-2. Execute the following command to check the VRRP status of the old FW1. Please confirm that the set VRRP State is displayed as MASTER/BACKUP and it matches the expected State.
user@FW1> show vrrp
Interface State Group VR state VR Mode Timer Type Address
ge-0/0/1.0 up 10 master Active A 8.893 lcl 10.0.10.101
vip 10.0.10.100
ge-0/0/2.0 up 100 master Active A 10.864lcl 192.168.1.101
vip 192.168.1.100
1-1-3. Save the settings.
Also, execute the following command below and save the output settings in a file.
user@FW1> show configulation | display set | no-more
Note
Use the saved configuration file to change the host name, IP address setting, VRRP setting, etc. according to your environment. In this procedure, the following changes have been made.
set system host-name FW3
set system time-zone Asia/Tokyo
set security address-book global address SV01 192.168.1.11/32
set security nat source rule-set RULE from zone trust
set security nat source rule-set RULE to zone untrust
set security nat source rule-set RULE rule 10 match source-address 192.168.0.0/16
set security nat source rule-set RULE rule 10 then source-nat interface
set security nat destination pool POOL1 address 192.168.1.11/32
set security nat destination rule-set RULE from zone untrust
set security nat destination rule-set RULE rule 10 match destination-address 203.0.113.1/32
set security nat destination rule-set RULE rule 10 then destination-nat pool POOL1
set security policies from-zone trust to-zone untrust policy rule_10 match source-address any
set security policies from-zone trust to-zone untrust policy rule_10 match destination-address any
set security policies from-zone trust to-zone untrust policy rule_10 match application HTTP_PING
set security policies from-zone trust to-zone untrust policy rule_10 then permit
set security policies from-zone trust to-zone untrust policy rule_10 then log session-init
set security policies from-zone trust to-zone untrust policy rule_10 then log session-close
set security policies from-zone untrust to-zone trust policy rule_10 match source-address any
set security policies from-zone untrust to-zone trust policy rule_10 match destination-address SV01
set security policies from-zone untrust to-zone trust policy rule_10 match application HTTP_PING
set security policies from-zone untrust to-zone trust policy rule_10 then permit
set security policies from-zone untrust to-zone trust policy rule_10 then log session-init
set security policies from-zone untrust to-zone trust policy rule_10 then log session-close
set security zones security-zone trust interfaces ge-0/0/2.0 host-inbound-traffic protocols vrrp
set security zones security-zone untrust interfaces ge-0/0/1.0 host-inbound-traffic protocols vrrp
set interfaces ge-0/0/1 unit 0 family inet address 10.0.10.101/24
set interfaces ge-0/0/2 unit 0 family inet address 192.168.1.101/24
set applications application HTTP application-protocol http
set applications application PING protocol icmp
set applications application-set HTTP_PING application HTTP
set applications application-set HTTP_PING application PING
1-2. Saving the configuration of old FW2
1-2-1. Execute the following command to log in to the old FW2.
ubuntu@ubuntu:~$ ssh user@10.0.0.102
Password:
Last login: Wed Feb 12 15:17:26 2020 from 10.0.0.254
--- JUNOS 15.1X49-D105.1 built 2018-03-28 00:45:38 UTC
1-2-2. Execute the following command to check the VRRP status of the old FW2. Please confirm that the set VRRP State is displayed as MASTER/BACKUP and it matches the expected State.
user@FW2> show vrrp
Interface State Group VR state VR Mode Timer Type Address
ge-0/0/1.0 up 10 backup Active D 59.186lcl 10.0.10.102
vip 10.0.10.100
mas 10.0.10.101
ge-0/0/2.0 up 100 backup Active D 60.251lcl 192.168.1.102
vip 192.168.1.100
mas 192.168.1.101
1-2-3. Save the settings.
Also, execute the following command below and save the output settings in a file.
user@FW2> show configulation | display set | no-more
Note
Use the saved configuration file to change the host name, IP address setting, VRRP setting, etc. according to your environment. In this procedure, the following changes have been made.
Also, since the configuration set by the service provider is a value unique to each instance, (Please refer to `Description of the configuration set by the service provider <https://ecl.ntt.com/documents/tutorials/rsts/vSRX/providerconfiguration/providerconfiguration.html> `_ and delete when saving. )
set system host-name FW4
set system time-zone Asia/Tokyo
set security address-book global address SV01 192.168.1.11/32
set security nat source rule-set RULE from zone trust
set security nat source rule-set RULE to zone untrust
set security nat source rule-set RULE rule 10 match source-address 192.168.0.0/16
set security nat source rule-set RULE rule 10 then source-nat interface
set security nat destination pool POOL1 address 192.168.1.11/32
set security nat destination rule-set RULE from zone untrust
set security nat destination rule-set RULE rule 10 match destination-address 203.0.113.1/32
set security nat destination rule-set RULE rule 10 then destination-nat pool POOL1
set security policies from-zone trust to-zone untrust policy rule_10 match source-address any
set security policies from-zone trust to-zone untrust policy rule_10 match destination-address any
set security policies from-zone trust to-zone untrust policy rule_10 match application HTTP_PING
set security policies from-zone trust to-zone untrust policy rule_10 then permit
set security policies from-zone trust to-zone untrust policy rule_10 then log session-init
set security policies from-zone trust to-zone untrust policy rule_10 then log session-close
set security policies from-zone untrust to-zone trust policy rule_10 match source-address any
set security policies from-zone untrust to-zone trust policy rule_10 match destination-address SV01
set security policies from-zone untrust to-zone trust policy rule_10 match application HTTP_PING
set security policies from-zone untrust to-zone trust policy rule_10 then permit
set security policies from-zone untrust to-zone trust policy rule_10 then log session-init
set security policies from-zone untrust to-zone trust policy rule_10 then log session-close
set security zones security-zone trust interfaces ge-0/0/2.0 host-inbound-traffic protocols vrrp
set security zones security-zone untrust interfaces ge-0/0/1.0 host-inbound-traffic protocols vrrp
set interfaces ge-0/0/1 unit 0 family inet address 10.0.10.102/24
set interfaces ge-0/0/2 unit 0 family inet address 192.168.1.102/24
set applications application HTTP application-protocol http
set applications application PING protocol icmp
set applications application-set HTTP_PING application HTTP
set applications application-set HTTP_PING application PING
2.Creating a New FW¶
2-1. Create new FW1
2-1-1. Create a new FW1 from ECL2.0 Customer Portal.
Also, set the default gateway if necessary.
Note
The default gateway can be set with the customer portal only when Firewall is created.
Select the zone and group for which you want to create a firewall. Also, record the specified zone/group.
2-1-2. From the ECL2.0 Customer Portal, connect the created new FW1 ge-0/0/0.0 and the Logical Network.
Note
In order to connect to the management IF in "3. Save settings and transfer SCP" in this guide, connect only the management IF (here ge-0/0/0.0 is used).
2-2. Creating new FW2
2-2-1. Create a new FW2 from ECL2.0 Customer Portal.
Also, set the default gateway if necessary.
Note
The default gateway can be set with the customer portal only when Firewall is created.
For the zone/group selected when creating the new FW2, select a zone/group different from that of the new FW1.
2-2-2. From the ECL2.0 Customer Portal, connect the created new FW2 ge-0/0/0.0 and the Logical Network.
Note
In order to connect to the management IF in "3. Save settings and transfer SCP" in this guide, connect only the management IF (here ge-0/0/0.0 is used).
3.Save settings and transfer SCP¶
3-1. SCP transfer of the created config of new FW1
3-1-1. Connect the console to the new FW1.
Note
In this procedure, 10.0.0.111 is registered as the management address when creating vSRX.
3-1-2. Execute the following command to set the management IF for SCP connection.
user> configure
Entering configuration mode
[edit]
user# set security zones security-zone trust interfaces ge-0/0/0.0 host-inbound-traffic system-services ssh
user# set security zones security-zone trust interfaces ge-0/0/0.0 host-inbound-traffic system-services ping
user# set interfaces ge-0/0/0 unit 0 family inet address 10.0.0.111/24
3-1-3. By executing the command below, confirm the set up configuration appears as differences.
user# show | compare
3-1-4. Execute the following command to reflect the setting.
user# commit check
configuration check succeeds
user# commit
commit complete
3-1-5. Execute the following command on the vSRX peripheral device to move the file to vSRX with SCP.
[server ~]# scp /home/user/ChangeToDifferentVersion_PTN2_vSRX01.conf user@10.0.0.111:/var/home/user/
Note
At the time of our verification, the SCP file is transferred on the Linux terminal. When the customer performs this procedure, transfer the configuration file such as the SCP transfer destination directory (/var/home/user/) according to the customer's environment.
3-1-6. After connecting to vSRX again, execute the following command to check the moved file with SCP.
user> file show ?
Possible completions:
<filename> Filename to show
PTN1-loadset_20200207 Size: 4683, Last changed: Feb 07 08:41:42
ChangeToDifferentVersion_PTN2_vSRX01.conf Size: 2549, Last changed: Feb 12 05:16:08
encoding Encode file contents
rollback-config_20200207 Size: 6963, Last changed: Feb 07 02:15:12
user> file show ChangeToDifferentVersion_PTN2_vSRX01.conf
set system host-name FW3
set system time-zone Asia/Tokyo
set security address-book global address SV01 192.168.1.11/32
set security nat source rule-set RULE from zone trust
set security nat source rule-set RULE to zone untrust
set security nat source rule-set RULE rule 10 match source-address 192.168.0.0/16
set security nat source rule-set RULE rule 10 then source-nat interface
set security nat destination pool POOL1 address 192.168.1.11/32
set security nat destination rule-set RULE from zone untrust
set security nat destination rule-set RULE rule 10 match destination-address 203.0.113.1/32
set security nat destination rule-set RULE rule 10 then destination-nat pool POOL1
set security policies from-zone trust to-zone untrust policy rule_10 match source-address any
set security policies from-zone trust to-zone untrust policy rule_10 match destination-address any
set security policies from-zone trust to-zone untrust policy rule_10 match application HTTP_PING
set security policies from-zone trust to-zone untrust policy rule_10 then permit
set security policies from-zone trust to-zone untrust policy rule_10 then log session-init
set security policies from-zone trust to-zone untrust policy rule_10 then log session-close
set security policies from-zone untrust to-zone trust policy rule_10 match source-address any
set security policies from-zone untrust to-zone trust policy rule_10 match destination-address SV01
set security policies from-zone untrust to-zone trust policy rule_10 match application HTTP_PING
set security policies from-zone untrust to-zone trust policy rule_10 then permit
set security policies from-zone untrust to-zone trust policy rule_10 then log session-init
set security policies from-zone untrust to-zone trust policy rule_10 then log session-close
set security zones security-zone trust interfaces ge-0/0/2.0 host-inbound-traffic protocols vrrp
set security zones security-zone untrust interfaces ge-0/0/1.0 host-inbound-traffic protocols vrrp
set interfaces ge-0/0/1 unit 0 family inet address 10.0.10.101/24
set interfaces ge-0/0/2 unit 0 family inet address 192.168.1.101/24
set applications application HTTP application-protocol http
set applications application PING protocol icmp
set applications application-set HTTP_PING application HTTP
set applications application-set HTTP_PING application PING
3-2. SCP transfer of the created config of new FW2
3-2-1. Connect the console to the new FW2.
Note
In this procedure, 10.0.0.112 is registered as the management address when creating vSRX.
3-2-2. Execute the following command to set the management IF for SCP connection.
user> configure
Entering configuration mode
[edit]
user# set security zones security-zone trust interfaces ge-0/0/0.0 host-inbound-traffic system-services ssh
user# set security zones security-zone trust interfaces ge-0/0/0.0 host-inbound-traffic system-services ping
user# set interfaces ge-0/0/0 unit 0 family inet address 10.0.0.112/24
3-2-3. Execute the following command and confirm that the config that has been set and displayed is displayed as a difference.
user@FW4# show | compare
3-2-4. Execute the following command to reflect the setting.
user# commit check
configuration check succeeds
user# commit
commit complete
3-2-5. Execute the following command on the vSRX peripheral device and move the file to vSRX by SCP.
[server ~]# scp /home/user/ChangeToDifferentVersion_PTN2_vSRX02.conf user@10.0.0.112:/var/home/user/
Note
At the time of our verification, the SCP file is transferred on the Linux terminal. When the customer performs this procedure, transfer the configuration file such as the SCP transfer destination directory (/var/home/user/) according to the customer's environment.
3-2-6. After connecting to vSRX again, execute the following command to check the moved file with SCP.
user> file show ?
Possible completions:
<filename> Filename to show
ChangeToDifferentVersion_PTN2_vSRX02.conf Size: 2549, Last changed: Feb 12 05:15:52
encoding Encode file contents
rollback-config_20200207 Size: 6963, Last changed: Feb 07 02:15:49
user> file show ChangeToDifferentVersion_PTN2_vSRX02.conf
set system host-name FW4
set system time-zone Asia/Tokyo
set security address-book global address SV01 192.168.1.11/32
set security nat source rule-set RULE from zone trust
set security nat source rule-set RULE to zone untrust
set security nat source rule-set RULE rule 10 match source-address 192.168.0.0/16
set security nat source rule-set RULE rule 10 then source-nat interface
set security nat destination pool POOL1 address 192.168.1.11/32
set security nat destination rule-set RULE from zone untrust
set security nat destination rule-set RULE rule 10 match destination-address 203.0.113.1/32
set security nat destination rule-set RULE rule 10 then destination-nat pool POOL1
set security policies from-zone trust to-zone untrust policy rule_10 match source-address any
set security policies from-zone trust to-zone untrust policy rule_10 match destination-address any
set security policies from-zone trust to-zone untrust policy rule_10 match application HTTP_PING
set security policies from-zone trust to-zone untrust policy rule_10 then permit
set security policies from-zone trust to-zone untrust policy rule_10 then log session-init
set security policies from-zone trust to-zone untrust policy rule_10 then log session-close
set security policies from-zone untrust to-zone trust policy rule_10 match source-address any
set security policies from-zone untrust to-zone trust policy rule_10 match destination-address SV01
set security policies from-zone untrust to-zone trust policy rule_10 match application HTTP_PING
set security policies from-zone untrust to-zone trust policy rule_10 then permit
set security policies from-zone untrust to-zone trust policy rule_10 then log session-init
set security policies from-zone untrust to-zone trust policy rule_10 then log session-close
set security zones security-zone trust interfaces ge-0/0/2.0 host-inbound-traffic protocols vrrp
set security zones security-zone untrust interfaces ge-0/0/1.0 host-inbound-traffic protocols vrrp
set interfaces ge-0/0/1 unit 0 family inet address 10.0.10.102/24
set interfaces ge-0/0/2 unit 0 family inet address 192.168.1.102/24
set applications application HTTP application-protocol http
set applications application PING protocol icmp
set applications application-set HTTP_PING application HTTP
set applications application-set HTTP_PING application PING
4.Disconnect the interface of the old FW2¶
Note
After the work, the redundant configuration of the firewall is released and the firewall operates in the single configuration.
4-1. Disconnect the old FW2 from the logical network.
4-1-1. From the ECL2.0 Customer Portal, cancel the communication settings for VRRP using the interface of the old FW2.
4-1-2. Disconnect the old FW2 from the logical network from the ECL2.0 Customer Portal.
5.Connection of new FW2 and setting input¶
5-1. Connect the new FW.
5-1-1. Connect the Logical Network to the created new FW2 from ECL2.0 Customer Portal.
Note
All interfaces that need to be connected to the logical network are executed. Also, set the IP address of the interface with the same address as the address of the old FW, and set the virtual IP address for VRRP with the same IP address as the old FW.
5-1-2. From the ECL2.0 Customer Portal, register the communication settings for VRRP on the interface of the new FW2 on the relevant interface.
5-2. Input the settings to the new FW.
5-2-1. Execute the following command to log in to the new FW2.
ubuntu@ubuntu:~$ ssh user@10.0.0.112
Password:
Last login: Wed Feb 12 07:43:43 2020 from 10.0.0.254
--- JUNOS 19.2R1.8 Kernel 64-bit JNPR-11.0-20190517.f0321c3_buil
5-2-2. Execute the following command to enter the configuration mode, and when the prompt changes to #, load the loading config created from the backup of the old FW2.
Note
Please confirm that the contents of the configuration to be input have been modified for the new FW2.
user> configure
Entering configuration mode
[edit]
user# load set ChangeToDifferentVirsion_PTN2_vSRX02.conf
|load complete
[edit]
5-2-3. Execute the following command and check the difference with the config that was set.
user# show | compare
Note
If there are many submitted configurations, check the result of show configuration | display set and the submitted configurations using a tool such as diff.
5-2-4. Execute the following command to reflect the settings and import the new FW2 config.
user# commit check
configuration check succeeds
user# commit
commit complete
6.New FW VRRP settings added¶
6-1. Set VRRP of new FW2.
6-1-1. Execute the following command to log in to the new FW2.
ubuntu@ubuntu:~$ ssh user@10.0.0.112
Password:
Last login: Fri Feb 7 16:07:30 2020 from 10.0.0.254
--- JUNOS 15.1X49-D105.1 built 2018-03-28 00:45:38 UTC
6-1-2. To enter the configuration mode, execute the following command, and when the prompt changes to #, paste the VRRP setting input configuration.
#VRRP setting
user@FW4> configure
Entering configuration mode
[edit]
user@FW4# set interfaces ge-0/0/1 unit 0 family inet address 10.0.10.102/24 vrrp-group 10 virtual-address 10.0.10.100
user@FW4# set interfaces ge-0/0/1 unit 0 family inet address 10.0.10.102/24 vrrp-group 10 priority 100
user@FW4# set interfaces ge-0/0/1 unit 0 family inet address 10.0.10.102/24 vrrp-group 10 preempt
user@FW4# set interfaces ge-0/0/1 unit 0 family inet address 10.0.10.102/24 vrrp-group 10 accept-data
user@FW4# set interfaces ge-0/0/2 unit 0 family inet address 192.168.1.102/24 vrrp-group 100 virtual-address 192.168.1.100
user@FW4# set interfaces ge-0/0/2 unit 0 family inet address 192.168.1.102/24 vrrp-group 100 priority 100
user@FW4# set interfaces ge-0/0/2 unit 0 family inet address 192.168.1.102/24 vrrp-group 100 preempt
user@FW4# set interfaces ge-0/0/2 unit 0 family inet address 192.168.1.102/24 vrrp-group 100 accept-data
6-1-3. Execute the following command and confirm that the config that has been set and displayed is displayed as a difference.
user@FW4# show | compare
6-1-4. Execute the following command to reflect the new FW2 settings.
user@FW4# commit check
configuration check succeeds
user@FW4# commit
commit complete
6-1-5. Execute the following command to check the VRRP status of the firewall (old FW1, new FW2).
user@FW1> show vrrp
Interface State Group VR state VR Mode Timer Type Address
ge-0/0/1.0 up 10 master Active A 2.621 lcl 10.0.10.101
vip 10.0.10.100
ge-0/0/2.0 up 100 master Active A 14.442lcl 192.168.1.101
vip 192.168.1.100
user@FW4> show vrrp
Interface State Group VR state VR Mode Timer Type Address
ge-0/0/1.0 up 10 backup Active D 55.385lcl 10.0.10.102
vip 10.0.10.100
mas 10.0.10.101
ge-0/0/2.0 up 100 backup Active D 48.355lcl 192.168.1.102
vip 192.168.1.100
mas 192.168.1.101
7.Switching FW¶
7-1. Change the Priority of the old FW1.
7-1-1. Execute the following command to log in to the old FW1.
ubuntu@ubuntu:~$ ssh user@10.0.0.101
Password:
Last login: Wed Feb 12 16:59:20 2020 from 10.0.0.254
--- JUNOS 15.1X49-D105.1 built 2018-03-28 00:45:38 UTC
7-1-2. Execute the following command to check the VRRP status of the firewall (old FW1, new 2).
user@FW1> show vrrp
Interface State Group VR state VR Mode Timer Type Address
ge-0/0/1.0 up 10 master Active A 16.776lcl 10.0.10.101
vip 10.0.10.100
ge-0/0/2.0 up 100 master Active A 8.133 lcl 192.168.1.101
vip 192.168.1.100
7-1-3. To enter the configuration mode, execute the following command, and when the prompt changes to #, paste the VRRP switch-on configuration.
#VRRP設定
user@FW1> configure
Entering configuration mode
[edit]
user@FW1#set interfaces ge-0/0/1 unit 0 family inet address 10.0.10.101/24 vrrp-group 10 priority 50
user@FW1#set interfaces ge-0/0/2 unit 0 family inet address 192.168.1.101/24 vrrp-group 100 priority 50
7-1-4. Execute the following command and check that the config that has been set and displayed is displayed as a difference.
user@FW1# show | compare
7-1-5. Execute the following command to reflect the setting and import the old FW1 config.
user@FW1# commit check
configuration check succeeds
user@FW1# commit
commit complete
Note
As a specification of vSRX, VRRP switching time requires about 4 seconds in addition to Advertise Interval x 3 times by default, so about 7 seconds (measured by ICMP communication) is required to complete traffic switching.
7-1-6. Execute the following command to check the VRRP status of the firewall (old FW1, new FW2).
user@FW1> show vrrp
Interface State Group VR state VR Mode Timer Type Address
ge-0/0/1.0 up 10 backup Active D 47.035lcl 10.0.10.101
vip 10.0.10.100
mas 10.0.10.102
ge-0/0/2.0 up 100 backup Active D 46.588lcl 192.168.1.101
vip 192.168.1.100
mas 192.168.1.102
user@FW4> show vrrp
Interface State Group VR state VR Mode Timer Type Address
ge-0/0/1.0 up 10 master Active A 3.097 lcl 10.0.10.102
vip 10.0.10.100
ge-0/0/2.0 up 100 master Active A 0.262 lcl 192.168.1.102
vip 192.168.1.100
7-1-7. Please check the communication through the firewall (HTTP communication etc.)
Note
If the communication remains NG and does not return, a failback will be performed. (For the specific revertive procedure, see 13. Revertive procedure in this guide.)
8.Disconnection of old FW1¶
Note
After the work, the redundant configuration of the firewall is released and the firewall operates in the single configuration.
8-1. Disconnect the connection with the old FW1 Logical Network.
8-1-1. From ECL2.0 Customer Portal, disconnect the logical network to the created old FW1.
8-1-2. From the ECL2.0 Customer Portal, cancel the VRRP communication settings for the new FW1 interface.
9.Connection of new FW1 and setting input¶
9-1. Connect the new FW.
9-1-1. Connect Logical Network to the new FW1 created from ECL2.0 Customer Portal.
Note
All interfaces that need to be connected to the logical network are executed. Also, set the IP address of the interface with the same address as the address of the old FW, and set the virtual IP address for VRRP with the same IP address as the old FW.
9-1-2. From the ECL2.0 Customer Portal, register the VRRP communication settings on the interface of the new FW1 to the relevant interface.
9-2. Input settings to new FW.
9-2-1. Execute the following command to log in to the new FW1.
ubuntu@ubuntu:~$ ssh user@10.0.0.111
Password:
Last login: Fri Feb 7 16:07:30 2020 from 10.0.0.254
--- JUNOS 15.1X49-D105.1 built 2018-03-28 00:45:38 UTC
9-2-2. Execute the following command to enter the configuration mode, and when the prompt changes to #, load the loading config created from the backup of the old FW1.
Note
Please confirm that the contents of the configuration to be input have been modified for the new FW1.
user> configure
Entering configuration mode
[edit]
user# load set ChangeToDifferentVirsion_PTN2_vSRX01.conf
load complete
9-2-3. Execute the following command and check the difference with the config that was input.
user# show | compare
Note
If there are many submitted configurations, check the result of show configuration | display set and the submitted configurations using a tool such as diff.
9-2-4. Execute the following command to reflect the settings and import the firewall config.
user# commit check
configuration check succeeds
user# commit
commit complete
10.New FW VRRP settings added¶
10-1. Set VRRP of new FW1.
10-1-1. Execute the following command to log in to the new FW1.
ubuntu@ubuntu:~$ ssh user@10.0.0.111
Password:
Last login: Fri Feb 7 16:07:30 2020 from 10.0.0.254
--- JUNOS 15.1X49-D105.1 built 2018-03-28 00:45:38 UTC
10-1-2. To enter the configuration mode, execute the following command, and when the prompt changes to #, paste the VRRP setting input configuration.
#VRRP setting
user@FW3> configure
Entering configuration mode
[edit]
user@FW3# set interfaces ge-0/0/1 unit 0 family inet address 10.0.10.101/24 vrrp-group 10 virtual-address 10.0.10.100
user@FW3# set interfaces ge-0/0/1 unit 0 family inet address 10.0.10.101/24 vrrp-group 10 priority 50
user@FW3# set interfaces ge-0/0/1 unit 0 family inet address 10.0.10.101/24 vrrp-group 10 preempt
user@FW3# set interfaces ge-0/0/1 unit 0 family inet address 10.0.10.101/24 vrrp-group 10 accept-data
user@FW3# set interfaces ge-0/0/2 unit 0 family inet address 192.168.1.101/24 vrrp-group 100 virtual-address 192.168.1.100
user@FW3# set interfaces ge-0/0/2 unit 0 family inet address 192.168.1.101/24 vrrp-group 100 priority 50
user@FW3# set interfaces ge-0/0/2 unit 0 family inet address 192.168.1.101/24 vrrp-group 100 preempt
user@FW3# set interfaces ge-0/0/2 unit 0 family inet address 192.168.1.101/24 vrrp-group 100 accept-data
10-1-3. Execute the following command and confirm that the config that has been set and displayed is displayed as a difference.
user@FW3# show | compare
10-1-4. Execute the following command to reflect the settings and import the new FW1 config.
user@FW3# commit check
configuration check succeeds
user@FW3# commit
commit complete
10-1-5. Execute the following command to check the VRRP status of the firewall (new FW1,2).
user@FW3> show vrrp
Interface State Group VR state VR Mode Timer Type Address
ge-0/0/1.0 up 10 backup Active D 56.216lcl 10.0.10.101
vip 10.0.10.100
mas 10.0.10.102
ge-0/0/2.0 up 100 backup Active D 57.452lcl 192.168.1.101
vip 192.168.1.100
mas 192.168.1.102
user@FW4> show vrrp
Interface State Group VR state VR Mode Timer Type Address
ge-0/0/1.0 up 10 master Active A 3.260 lcl 10.0.10.102
vip 10.0.10.100
ge-0/0/2.0 up 100 master Active A 16.428lcl 192.168.1.102
vip 192.168.1.100
11.Switching FW¶
11-1. Change the Priority of new FW1.
11-1-1. Execute the following command to log in to the new FW1.
ubuntu@ubuntu:~$ ssh user@10.0.0.111
Password:
Last login: Fri Feb 7 16:07:30 2020 from 10.0.0.254
--- JUNOS 15.1X49-D105.1 built 2018-03-28 00:45:38 UTCs
11-1-2. To enter the configuration mode, execute the following command and when the prompt changes to #, paste the VRRP switch-on configuration.
#VRRP setting
user@FW3> configure
Entering configuration mode
[edit]
user@FW3# set interfaces ge-0/0/1 unit 0 family inet address 10.0.10.101/24 vrrp-group 10 priority 200
user@FW3# set interfaces ge-0/0/2 unit 0 family inet address 192.168.1.101/24 vrrp-group 100 priority 200
11-1-3. Execute the following command and confirm that the config that has been set and input is displayed as a difference.
user@FW3# show | compare
11-1-4. Execute the following command to reflect the settings and import the new FW1 config.
user@FW3# commit check
configuration check succeeds
user@FW3# commit
commit complete
11-1-5. Execute the following command to check the VRRP status of the firewall (new FW1,2).
user@FW3> show vrrp
Interface State Group VR state VR Mode Timer Type Address
ge-0/0/1.0 up 10 master Active A 4.333 lcl 10.0.10.101
vip 10.0.10.100
ge-0/0/2.0 up 100 master Active A 0.555 lcl 192.168.1.101
vip 192.168.1.100
user@FW4> show vrrp
Interface State Group VR state VR Mode Timer Type Address
ge-0/0/1.0 up 10 backup Active D 56.716lcl 10.0.10.102
vip 10.0.10.100
mas 10.0.10.101
ge-0/0/2.0 up 100 backup Active D 52.935lcl 192.168.1.102
vip 192.168.1.100
mas 192.168.1.101
11-1-6. Please check the communication through the firewall (HTTP communication etc.)
12.Delete old FW¶
**Perform this procedure after confirming that the communication after switching is stable. **
12-1. From the ECL2.0 Customer Portal, go to Network → Firewall and display the list of firewalls.
12-2. Delete the firewall (formerly FW1) from the ECL2.0 Customer Portal.
Note
Check again whether the firewall (formerly FW1) to be deleted is correctly selected.
12-3. Delete the firewall (formerly FW2) from the ECL2.0 Customer Portal.
Note
Perform this work after confirming that the old FW1 has been deleted. Please check again whether the firewall (old FW2) to be deleted is correctly selected.
Note
This completes the work procedure for normal execution.
Below is a description of the switchback procedure and an example of the input configuration.
13.Switchback procedure¶
13-1. Change the Priority of the old FW1.
13-1-1. Execute the following command to log in to the old FW1.
ubuntu@ubuntu:~$ ssh user@10.0.0.101
Password:
Last login: Fri Feb 7 16:07:30 2020 from 10.0.0.254
--- JUNOS 15.1X49-D105.1 built 2018-03-28 00:45:38 UTCs
13-1-2. To enter the configuration mode, execute the following command and when the prompt changes to #, paste the VRRP failback fail-on configuration.
user> configure
Entering configuration mode
[edit]
user@FW1# set interfaces ge-0/0/1 unit 0 family inet address 10.0.10.101/24 vrrp-group 10 priority 200
user@FW1# set interfaces ge-0/0/2 unit 0 family inet address 192.168.1.101/24 vrrp-group 100 priority 200
13-1-3. Execute the following command and confirm that the config that has been set and displayed is displayed as a difference.
user@FW1# show | compare
13-1-4. Execute the following command to reflect the setting and import the old FW1 config.
user@FW1# commit check
configuration check succeeds
user@FW1# commit
commit complete
13-1-5. Execute the following command to check the VRRP status of the firewall (old FW1, new FW2).
user@FW1> show vrrp
Interface State Group VR state VR Mode Timer Type Address
ge-0/0/1.0 up 10 master Active A 8.893 lcl 10.0.10.101
vip 10.0.10.100
ge-0/0/2.0 up 100 master Active A 10.864lcl 192.168.1.101
vip 192.168.1.100
user@FW4> show vrrp
Interface State Group VR state VR Mode Timer Type Address
ge-0/0/1.0 up 10 backup Active D 56.716lcl 10.0.10.102
vip 10.0.10.100
mas 10.0.10.101
ge-0/0/2.0 up 100 backup Active D 52.935lcl 192.168.1.102
vip 192.168.1.100
mas 192.168.1.101
13-1-6. Please check the communication through the firewall (HTTP communication etc.)
Note
Communication via VRRP is restored.
13-2. Disconnect the interface of new FW2.
Note
After the work, the redundant configuration of the firewall is released and the firewall operates in the single configuration.
13-2-1. Disconnect the new FW2 from the logical network.
13-2-2. From the ECL2.0 Customer Portal, cancel the VRRP communication settings on the new FW2 interface.
13-2-3. Disconnect the new FW2 from the Logical Network from the ECL2.0 Customer Portal.
13-3. Connect the old FW2.
13-3-1. Connect the logical network to the old FW2 from the ECL2.0 Customer Portal.
Note
Repeat the procedure for all interfaces to be connected with the logical network.
13-3-2. From the ECL2.0 Customer Portal, register the VRRP communication settings on the interface of the old FW2 for the relevant interface.
13-3-3. Execute the following command to check the VRRP status of the firewall (old FW1, new FW2).
user@FW1> show vrrp
Interface State Group VR state VR Mode Timer Type Address
ge-0/0/1.0 up 10 master Active A 8.893 lcl 10.0.10.101
vip 10.0.10.100
ge-0/0/2.0 up 100 master Active A 10.864lcl 192.168.1.101
vip 192.168.1.100
user@FW2> show vrrp
Interface State Group VR state VR Mode Timer Type Address
ge-0/0/1.0 up 10 backup Active D 59.186lcl 10.0.10.102
vip 10.0.10.100
mas 10.0.10.101
ge-0/0/2.0 up 100 backup Active D 60.251lcl 192.168.1.102
vip 192.168.1.100
mas 192.168.1.101
13-3-4. Please check the communication through the firewall (HTTP communication etc.)