2.1.2.2. HA Configuration Interface Setting

2.1.2.2.1. Default Value : Interface

By default, any interface has been set up.

Port 1 is reserved in advance as a necessary port for this menu and is not shown.
Port 2 and 3 are necessary ports. The message indicating these ports have been set in advance; the user cannot change the setting.
[ Port 4 - Port 10 ] are interfaces available for customers.

2.1.2.2.2. Setting Items : Interface

Following are the setting items as described follows:

Items

Values

Description

Port

[ Port 4- Port 10 ]

Port number is shown. Edit is unable.

Enable Port

[ ✔ ] (Marking to the checkbox)

Marking to the [ Enable Port ] box allows you to input parameters.
On the other hand, if you have unmarked to the checkbox, the inpute value will clear.
MTU Size 100-1500 [byte]
Specify MTU size of the interface
Default is 1500 bytes.

Device ID

UTM-XXXXXX
The device name for each HA pair of the user.
Editing is unable.
IP Address [CIDR] XXX.XXX.XXX.XXX/24
Input an IP Address being assigned to a port.
You need to specify any IP address, by selecting from the following IP address range of the Subnet ID & the Network ID.
For subnet masks, you need to input ones in CIDR format.

For HA configuration, allocate IP address for each HA pair device.

Network ID

( Select from the List )

Select any Network ID, which you want to use, from your Network list.

Subnet ID

( Select from the List )

Select a specific Subnet ID from the available Subnet list in your selected Logical Network.

VRRP Group ID

( Select from the List )

Select the VRRP Group ID

Use the same Group ID for all interfaces.
Interfaces using the same Group ID synchronized operates Master-Slave. For example, when the External side of an interface fails over, the Internal side of the interface using the same Group ID will fails over.
VRRP ID

( Select from the List )

Select the VRRP ID.

Each interface requires different VRRP ID.
In case the user employs VRRP for the other device used in a pair, it is necessary to set different VRRP ID for it.
VRRP IP XXX.XXX.XXX.XXX
Enter the IP address for VRRP.
Subnet mask is not required.
Virtual MAC XX:XX:XX:XX:XX:XX
After the user complete the setting of Manage Interfaces, a Virtual MAC address is automatically allocated.
Editing is unable.
Preempt

[ ✔ ] (Marking to the checkbox)

The user can choose whether the Preempt mode is applied or not. By ticking, the Preempt mode turns on.

With the Preempt mode, fail back is automatically performed at the timing when the device recognizes the preconditions for it.
For devices under the same Group ID, the Preempt mode status of those should be consistent.
Comment

(Half-width alphabetic characters & half-width numbers)

The user can enter comments.
Fill in your comment by using less than 225 letters. You can NOT utilize any two-bytes characters, such as Japanese.

Note

  • When using VRRP, "enable" the DHCP function (address setting function) of the logical network to be connected.
    If the DHCP function has been "disabled", an ARP request is executed with source address 0.0.0.0 with respect to the network of NTT Com.
    It has been confirmed through an NTT-supplied Load Balancer, Managed FW/UTM, and others that an ARP reply is not returned in this case. Redundancy by VRRP is affected and communication disconnection may be continued when switching is made.

2.1.2.2.3. Unauthorized IP addresses

The following IP addresses are not available for Interface, Routing, Address objects, Destination NAT and Source NAT.
When using these IP addresses, the operation may cause an error.
  • 100.65.0.0/16
  • 100.66.0.0/15
  • 100.68.0.0/14
  • 100.72.0.0/14
  • 100.76.0.0/15
  • 100.78.0.0/16
  • 100.80.0.0/13
  • 100.88.0.0/15
  • 100.91.0.0/16
  • 100.92.0.0/14
  • 100.126.0.0/15

2.1.2.2.4. Prohibit VRRP ID

Following VRRP ID cannot be used as Managed Firewall/UTM and the devices connected to Managed Firewall/UTM.
  • ID 11(Virtual MAC address00:00:5e:00:01:0b)


2.1.2.2.5. Preparing for a New Settings

  1. Click the [ Cluster Port Management ] on the [ Network Management ] screen to see the details of the [ Network Management ].
    In case of HA Configuration, [UTM Port Managemen] is not used.
    TOP

  1. To enable the user network information to be referred to, click and select the device to be set, and then click [ Get Network Info ].
    Port Management

  1. [ Task Status ] is displayed. When completed normally, the task status of "Get Network Info" turns green. Click [x] to close the window.
    Task Status

  1. Select the target HA pair for setting by clicking, and click the [ Manage Interfaces ].
    All port numbers open the same screen.
    デバイス選択

  1. The [ Manage Interface ] screen will be opened. Port 2 and 3 will not be shown.
    Select the target port for setting, then click [ Edit ].
    Manage Interfaces

  1. Enter the setting value by ticking [ Enable Port ].
    ポート設定

Note

Please remind the issues below when entering the setting value.
  • Actual IP Address and Virtual IP Address (VRRP IP) for Each Device
    As the example below, allocate an actual IP address to each device and set a virtual IP address (VRRP) for it.
    Example:
    Enter 192.168.2.101/24 for the first device.
    Enter 192.168.2.102/24 for the second device.

    In case of IP Address[CIDR], use the CIDR style.
    CIDR style: IP address/subnet (prefix length)
    For VRRP IP address, enter the IP address simply without using the CIDR style.
  • VRRP Group ID
    VRRP Group ID tracks status (Master and Slave) on all interfaces which use the same Group ID.
    Use the same Group ID for the interface allocated to Port 4 - 10 in a device (within a HA pair)for VRRP setting. In case any different Group ID is used, the appropriate operation may not run normally when a failover occurs.
  • VRRP ID
    VRRP ID is linked with virtual MAC address. VRRP ID and allocated virtual MAC is defined among companies commonly in accordance with the rules below:
    VRRP ID

    Virtual MAC Adress

    1 00:00:5e:00:01:01
    2 00:00:5e:00:01:02
    ... ...
    10 00:00:5e:00:01:0a
    ... ...
    20 00:00:5e:00:01:14
    ... ...
    70 00:00:5e:00:01:46
    In case using VRRP at the other device in pair for Managed Firewall and Managed UTM, each device needs different VRRP ID separately. If both devices use the same VRRP ID, they cannot communicate normally.
  • ID 11 (virtual MAC address 00: 00: 5e: 00: 01: 0b) can not be used as the VRRP ID of the Managed Firewall / UTM and adjacent devices.

  1. After inputting the setting value, click the [ Save ] button. The saved data is not applied to the device with only this action.

    ポート設定保存

Once you have prepared for the port settings, please accordingly apply for the new settings by following the procedure of [ Applying configuration ].


2.1.2.2.6. Applying the new Settings

The process for setting applying is commonly used for single configuration and HA configuration.

  1. Once you have prepared a port being utilized, click [ NOW RUN ] at the Manage Interface screen.
    ポート設定適用

  1. [ Task Status ] is displayed.
    ポート設定適用3

    Following describes respective task statuses.

    Task Colors

     

    Task Status

    Gray

    [ Gray ]

    Unexcuted Task

    Blue

    [ Blue ]

    Processing Task

    Green

    [ Green ]

    Task completed normally

    Red

    [ Red ]

    Task with Unknown-Issues.


  1. When completed normally, all statuses turn green. Click [x] to close the window.
    ポート設定適用4

2.1.2.2.7. Task Status and Error Solution (Red)

Note

Any error (red status) caused at applying the interface setting may negative impacts on the user's communication. Please make sure to check the details of the error and correct it before all tasks are completed.


Occurrence of an error results in display like this in [ Task Status ].
実行ステータス

If [ Task Status ] has been closed, an error is indicated by [ Status ] of Port Management, and the buttons of Get Network Info and Manage Interface are disabled until the problem is solved.
ステータスエラー

If clicking the area which show [ Status ] and [ Message ], the history is displayed. On the history, the status of an error occurrence process turns red, and part of the error information is displayed in [ Details ] area.
To recover from the error, click [ Status Detail Display ] at the right end, followed by display of [ Task Status ].
ポート設定適用4

Regarding an error occurrence task, the [ Continue Task ] button is displayed to the right of Details.
実行ステータス

Clicking the [ Continue Task ] button causes the problematic setting screen to be displayed. Refer to the message in Details and correct the setting values.

In the example above where "Below IP Address / MTU inputs are Not OK. Please correct the values before running the Process again. IP Address XXX.XX.XX.XX is not in CIDR format." is shown, click the [ Continue Task ] button, correct the IP address, and then click [ Run Now ] again.

Note

In case of the example above, the error message was brought because IP Address[CIDR] was not in the CIDR style.
The [IP Address[CIDR]]needs to be input with the CIDR style as the example below.
Example:
192.168.2.100/24
[IP Address]+[/]+[Subnet]

Click [ Run Now ] after your updating settings, then Tasks Status screen will get back. [ Applying Configuration ] will resume.
Wait for a moment until the last task is completed normally.
実行ステータス3

Click [ × ] at the [ Task Status ] screen as shown below:
実行ステータス4

This section explains task status. When a red status appears, check the task's name (status), details and necessary actions on incident occurrence in the table below. Then, execute retry.

Note

  • If the applying process is interrupted before the error is corrected, the user's Managed Firewall/UTM will keep its status being in shutdown, unconnected, no updated setting.

  • In case the error failed to be corrected by retrying, please inform us via the Enterprise Cloud 2.0 ticket system.


Task Name

Task Description

Necessary Action at Incident Occurrence (Red Status)

Set Context for First UTM

In the case of HA configuration, the environment for the first unit is prepared. The same tasks are executed in terms of the procedures from Verify to Attach Ports and the procedures from Start the UTM to Update UTM Proxy ARP.

When an error occurs during environment preparation, the indicator turns red. Please retry after 10 minutes or so. In case the error failed to be corrected, please inform us via the Enterprise Cloud 2.0 ticket system.
Set Context for Second UTM

In the case of HA configuration, the environment for the second unit is prepared. The same tasks as for the first unit are executed in terms of the procedures from Verify to Attach Ports and the procedures from Start the UTM to Update UTM Proxy ARP.

When an error occurs during environment preparation, the indicator turns red. Please retry after 10 minutes or so. In case the error failed to be corrected, please inform us via the Enterprise Cloud 2.0 ticket system.
Verify IP Address Inputs
The IP address (CIDR) to be set is verified. In the case of HA configuration, it is also verified that DHCP is effective on the connected network.
An error was detected through verification of the IP address (CIDR). Check the input value, make corrections, and retry. If this task turns red and a message "Logical Network connecting to Managed Firewall/UTM must be [DHCP ON]." is displayed with respect to HA configuration, check the network environment of the user. Then, if DHCP is found to be ineffective, make it effective and retry.
Verify VRRP, MTU Inputs

VRRP and MTU to be set are verified.

When an error is detected through verification, the indicator turns red. Check the input value, make corrections, and retry.

Import Ports

In case of HA Configuration, import ports information at the beginning of the process.

When an port reading error occurs, the indicator turns red. Please inform us via the Enterprise Cloud 2.0 ticket system.
Stop the UTM
When starting the setting applying process, the user's Managed Firewall/UTM is temporally shutdown. (It will keep being in shutdown until Start the UTM task is completed.)

An error occurred on the shutdown process. Please retry applying after 10 minutes or so.

Please wait for UTM Ping Reachability from MSA.

Verify the connection status of the user's Managed Firewall/UTM.

An error occurred on the connection verification process. Please retry applying after 10 minutes or so.

Stop Ping Monitoring

Ping Monitoring is temporarily halted before application of the port setting.

When temporary halt of Ping Monitoring fails, the indicator turns red. Please inform us via the Enterprise Cloud 2.0 ticket system.
Delete Ports

Ports will be deleted in order to apply the settings.

Errors occurred when deleting the ports. Please contact us via the Enterprise Cloud 2.0 ticket system.
Create Ports

Create a new port.

An error occurred in the port detach process. Please inform us via the Enterprise Cloud 2.0 ticket system.
Attach Ports

Attach the created ports.

An error occurred in the port attachment process. Please inform us via the Enterprise Cloud 2.0 ticket system.
Start the UTM

Start the user's Managed Firewall/UTM.

An error occurred on the starting process. Please inform us via the Enterprise Cloud 2.0 ticket system.

Please wait for UTM Ping Reachability from MSA.

Verify the connection status of the user's Managed Firewall/UTM.

An error occurred on the connection verification process. Please retry applying after 10 minutes or so.

Start Ping Monitoring

Ping Monitoring is resumed after application of the port setting.

When temporary halt of Ping Monitoring fails, the indicator turns red. Please inform us via the Enterprise Cloud 2.0 ticket system.
Update UTM (Interfaces)

Update configuration of Managed Firewall / UTM interfaces.

An error occurred in the configuration updating process. Please inform us via the Enterprise Cloud 2.0 ticket system.
Import Ports

In case of HA Configuration, import ports information at the beginning of the process.

An error occurred in loading ports. Please inform us via the Enterprise Cloud 2.0 ticket system.
Update UTM Proxy ARP

In HA Configuration, update Proxy ARP configuration of Managed Firewall / UTM.

An error occurred in the configuration updating process. Please inform us via the Enterprise Cloud 2.0 ticket system.

Confirm all tasks have been completed normally (green status).
実行ステータス6