2.1.2.2. HA Configuration Interface Setting

2.1.2.2.1. Default Value : Interface

Nothing is set in the initial state.

Port 1 is reserved in advance as a necessary port for this menu. This is not shown.
Port 2 and 3 are necessary ports for HA Configuration. The message indicates these ports have been set in advance; the user cannot change this setting.
Port 4 - 10 are interfaces available for the customers.

2.1.2.2.2. Setting Items : Interface

Following are the setting items as describes below:

Items

Values

Descriptions

Port

Port [ 4 - 10 ]

Port number is shown; yet, the user cannot edit.

Enable Port

"✔" (Marking to the checkbox)

Marking to the "Enable Port" box allows you to input the parameter.
On the other hand, once you have unmarked to the checkbox, your input value will disappear.
MTU Size 100-1500 [byte]
The user can specify the interface's MTU size.
Default value is 1500 bytes.

Device ID

UTM-XXXXXX
The user's device name for each HA pair device name is shown.
The user cannot edit.
IP Address [CIDR] XXX.XXX.XXX.XXX/24
Input IP Address being assigned to the port.
You need to specify any IP address from the range of IP address on Subnet ID & Network ID selected as described below:
Subnet masks need to be input in the CIDR format.

For HA Configuration, IP address will be allocated to each HA pair device.

Network ID

(Select from the list)

Select any Network ID you want to use from your Network list.

Subnet ID

(Select from the list)

Select a specific Subnet ID from the available Subnet list in your selected Logical Network.

VRRP Group ID

(Select from the list)

Select VRRP Group ID

Use the same Group ID to all interfaces.
All interfaces under the same Group ID will operate in synchronism to match Master-Slave. For example, when the External side of an interface fails over, the Internal side of the interface under the same Group ID will fails over.
VRRP ID

(Select from the list)

Select VRRP ID.

Each interface requires individual VRRP ID.
If the user uses VRRP to the other device used in a pair, it is necessary to select a different VRRP ID for it.
VRRP IP XXX.XXX.XXX.XXX
Enter IP address of VRRP.
Subnet mask is not required.
Virtual MAC XX:XX:XX:XX:XX:XX
After the user completes the setting of Manage Interfaces, a Virtual MAC address is automatically allocated.
The user cannot edit.
Preempt

"✔" (Marking to the checkbox)

You can choose to use Preempt mode or not. If you uncheck it, you can set Preempt mode to OFF.

When using Preempt mode, the device automatically fails back when it determines the conditions under which it can fail back.
If devices are under the same Group ID, the Preempt mode status of those should be matched.

See the note below for ON / OFF of Preempt mode.
From October 19, 2021, the default value of Preempt has been changed from OFF to ON.
It has no effect on existing interface settings.
Comment

(Half-width alphabetic characters & half-width numbers)

The user can put comments.
Fill in your comment by using less than 225 letters. You can NOT utilize any two-bytes characters, such as Japanese.

Note

  • When using VRRP, "enable" the DHCP function (address setting function) of the logical network to be connected.
    If the DHCP function has been "disabled", an ARP request is executed with source address 0.0.0.0 with respect to the network of NTT Com.
    It has been confirmed through an NTT-supplied Load Balancer, Managed FW/UTM, and others that an ARP reply is not returned in this case. Redundancy by VRRP is affected and communication disconnection may be continued when switching is made.
  • If you create a logical network name under specific conditions, the created network will not be displayed. When creating a logical network, See here .

  • Description of Preempt settings
    • For Preempt ON
      Multicast, broadcast, unlearned unicast communication (BUM (Broadcast / Unknown Unicast / Multicast) communication is unstable, the number assigned to the device on some ports is the youngest to the oldest, and the oldest to the youngest. Since switching occurs to, a total of 2 switchings will occur, but communication will be automatically restored.
      If a switch occurs in VRRP for another reason, the switch will also occur from the young number to the old number and from the old number to the young number, so a total of two changes will occur.
    • When Preempt OFF
      When BUM communication is unstable, some ports are switched from the young number assigned to the device to the old number, asymmetric communication occurs, and communication will not be restored unless the customer responds (restarts).
      When a VRRP switch occurs for another reason, there is one switch from the active device to the standby device.

2.1.2.2.3. Prohibited IP address

The IP addresses below are not available for Interface, Routing, Address Objects, Destination NAT and Source NAT.
If these IP addresses are used, the operation may cause some error.
  • 100.65.0.0/16
  • 100.66.0.0/15
  • 100.68.0.0/14
  • 100.72.0.0/14
  • 100.76.0.0/15
  • 100.78.0.0/16
  • 100.80.0.0/13
  • 100.88.0.0/15
  • 100.91.0.0/16
  • 100.92.0.0/14
  • 100.126.0.0/15

2.1.2.2.4. Prohibit VRRP ID

Following VRRP ID cannot be used as Managed Firewall/UTM and the devices connected to Managed Firewall/UTM.
  • ID 11(Virtual MAC address00:00:5e:00:01:0b)


2.1.2.2.5. Preparing for the New Settings

  1. Click [Cluster Port Management] displayed in [Network Management] to open the [Network Management] details screen.
    In case of HA Configuration, [UTM Port Managemen] is not used.
    TOP

  1. To enable the user network information to be referred to, click and select the device to be set, and then click [ Get Network Info ].
    Port Management

  1. [ Task Status ] is displayed. When completed normally, the task status of "Get Network Info" turns green. Click [x] to close the window.
    Task Status

  1. Select the target HA pair for setting by clicking, and click [ Manage Interface ].
    デバイス選択

  1. The [ Manage Interface ] screen will be opened. In the screen, Port 2 and 3 are not shown.
    Select the target port for setting, then click "Edit".
    Manage Interfaces

  1. By marking the check box for the [ Enable Port ], the user can input the setting value.
    ポート設定

  1. Select each device and press [Edit].

  1. Enter the real IP address to be set for each device, and click [Save].

Note

The [ IP Address[CIDR] ]should be input in the CIDR style as the example below shows.
Example:
192.168.2.100/24
[IP Address]+[/]+[Subnet]

  1. Enter the setting value.

Note

Please remind the issues below when entering the setting value.
  • Actual IP Address and Virtual IP Address (VRRP IP) for Each Device
    As the example below shows, allocate an actual IP address to each device. And set a virtual IP address (VRRP) for it as well.
    Example:
    Enter 192.168.2.101/24 for the first device.
    Enter 192.168.2.102/24 for the second device.

    If there is the indication as IP Address[CIDR], use the CIDR style.
    Format in the CIDR style: IP address/subnet (prefix length)
    For VRRP IP address, enter the IP address simply without using the CIDR style.
  • VRRP Group ID
    VRRP Group ID is used to track the status (Master and Slave) on all interfaces using the same Group ID.
    Use the same Group ID for the interface setting VRRP, which allocated to Port 4 - 10 in the same device (within a HA pair). If any different Group ID is used, operation may fail in case failover or relevant problem occurs.
  • VRRP ID
    VRRP ID is linked with virtual MAC address. VRRP ID and the allocated virtual MAC to the ID is commonly defined among companies in accordance with the rules below:
    VRRP ID

    Virtual MAC Address

    1 00:00:5e:00:01:01
    2 00:00:5e:00:01:02
    ... ...
    10 00:00:5e:00:01:0a
    ... ...
    20 00:00:5e:00:01:14
    ... ...
    70 00:00:5e:00:01:46
    If VRRP is used at the other device in pair of Managed Firewall and Managed UTM, each device needs different VRRP ID independently. When both devices use the same VRRP ID, they cannot communicate normally.
  • ID 11 (virtual MAC address 00: 00: 5e: 00: 01: 0b) can not be used as the VRRP ID of the Managed Firewall / UTM and adjacent devices.

  1. Input the setting value, and click [ Save ]. Please remind that this action itself does not apply the saved data to the device.

    ポート設定保存

Once you have prepared for the port settings, please apply for the new settings accordingly by the procedure of "Applying configuration".


2.1.2.2.6. Applying the new Settings

The setting applying process is common to Single Configuration and HA Configuration.

  1. Once you have prepared a port being utilized, click [ Run Now ] at the Manage Interface screen.
    ポート設定適用

  1. [ Task Status ] is displayed.
    ポート設定適用3

    Following describes respective task statuses.

    Task Colors

     

    Task Statuses

    Gray

    (grey)

    Unimplemented task

    Blue

    "Blue"

    Processing Task

    Green

    "Green"

    Task normally completed

    Red

    "Red"

    Task with Unknown-Issue.


  1. When completed normally, all statuses turn green. Click [x] to close the window.
    ポート設定適用4

2.1.2.2.7. Task Status and Error (Red) Solution

Note

Any error (status in red color) occurred at the timing of interface setting applying may effect on the user's communication. Please make sure to check the details of the error and correct it before all tasks are completed.


Occurrence of an error results in display like this in [ Task Status ].
実行ステータス

If [ Task Status ] has been closed, an error is indicated by [ Status ] of Port Management, and the buttons of Get Network Info and Manage Interface are disabled until the problem is solved.
ステータスエラー

If clicking the area which show [ Status ] and [ Message ], the history is displayed. On the history, the status of an error occurrence process turns red, and part of the error information is displayed in [ Details ] area.
To recover from the error, click [ Status Detail Display ] at the right end, followed by display of [ Task Status ].
ポート設定適用4

Regarding an error occurrence task, the [ Continue Task ] button is displayed to the right of Details.
実行ステータス

Clicking the [ Continue Task ] button causes the problematic setting screen to be displayed. Refer to the message in Details and correct the setting values.

In the example above where "Below IP Address / MTU inputs are Not OK. Please correct the values before running the Process again. IP Address XXX.XX.XX.XX is not in CIDR format." is shown, click the [ Continue Task ] button, correct the IP address, and then click [ Run Now ] again.

Note

In the case of the example above, the error message was brought as IP Address[CIDR] was not written in the CIDR style.
The [ IP Address[CIDR] ]should be input in the CIDR style as the example below shows.
Example:
192.168.2.100/24
[IP Address]+[/]+[Subnet]

Click [ Run Now ] after your updating settings, then "Tasks Status" screen will get back. [ Applying Configuration ] will resume.
Please wait for a moment until the last task is normally completed.
実行ステータス3

Click [ × ] at the [ Task Status ] screen.
実行ステータス4

About tasks status: when any status become red, check its task name (status), details and necessary actions for incident occurrence by referring to the table below. Then, execute retry.

Note

  • If the applying process is interrupted before the error is corrected, the user's Managed Firewall/UTM will keep its status being in shutdown, unconnected and/or no updated setting.

  • In case the error failed to be corrected by retrying, please inform us via the Enterprise Cloud 2.0 ticket system.


Task Name

Task Description

Necessary Action for Incident Occurrence (Red Status)

Set Context for First UTM

In the case of HA configuration, the environment for the first unit is prepared. The same tasks are executed in terms of the procedures from Verify to Attach Ports and the procedures from Start the UTM to Update UTM Proxy ARP.

When an error occurs during environment preparation, the indicator turns red. Please retry after 10 minutes or so. In case the error failed to be corrected, please inform us via the Enterprise Cloud 2.0 ticket system.
Set Context for Second UTM

In the case of HA configuration, the environment for the second unit is prepared. The same tasks as for the first unit are executed in terms of the procedures from Verify to Attach Ports and the procedures from Start the UTM to Update UTM Proxy ARP.

When an error occurs during environment preparation, the indicator turns red. Please retry after 10 minutes or so. In case the error failed to be corrected, please inform us via the Enterprise Cloud 2.0 ticket system.
Verify IP Address Inputs
The IP address (CIDR) to be set is verified. In the case of HA configuration, it is also verified that DHCP is effective on the connected network.
An error was detected through verification of the IP address (CIDR). Check the input value, make corrections, and retry.If this task turns red and a message "Logical Network connecting to Managed Firewall/UTM must be [DHCP ON]." is displayed with respect to HA configuration, check the network environment of the user. Then, if DHCP is found to be ineffective, make it effective and retry.If this task turns red and a message "Subnet xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx(ID number) does not exist." is displayed, there is a possibility that the latest network information could not be obtained, please inform us via the Enterprise Cloud 2.0 ticket system.
Verify VRRP, MTU Inputs

VRRP and MTU to be set are verified.

When an error is detected through verification, the indicator turns red. Check the input value, make corrections, and retry.

Import Ports

In case of HA Configuration, import ports information at the beginning of the process.

An error occurred on the port setting process, the indicator turns red. Please retry after 10 minutes or so. In case the error failed to be corrected, please inform us via the Enterprise Cloud 2.0 ticket system.
Stop the UTM
When starting the setting applying process, the user's Managed Firewall/UTM is temporally shutdown. (It will keep being in shutdown until the Start the UTM task is completed.)
An error occurred on the shutdown process, the indicator turns red. Please retry after 10 minutes or so. In case the error failed to be corrected, please inform us via the Enterprise Cloud 2.0 ticket system.

Wait for UTM Ping Reachability from MSA.

Confirm the connection status of the user's Managed Firewall/UTM.

An error occurred on the connection verification process, the indicator turns red. Please retry after 10 minutes or so. In case the error failed to be corrected, please inform us via the Enterprise Cloud 2.0 ticket system.
Stop Ping Monitoring

Ping Monitoring is temporarily halted before application of the port setting.

When temporary halt of Ping Monitoring fails, the indicator turns red. Please retry after 10 minutes or so. In case the error failed to be corrected, please inform us via the Enterprise Cloud 2.0 ticket system.
Delete Ports

Ports will be deleted in order to apply the settings.

An error occurred on the deleting the ports, the indicator turns red. Please retry after 10 minutes or so. In case the error failed to be corrected, please inform us via the Enterprise Cloud 2.0 ticket system.
Create Ports

Create new ports.

An error occurred on the port create process, the indicator turns red. Please retry after 10 minutes or so. In case the error failed to be corrected, please inform us via the Enterprise Cloud 2.0 ticket system.
Attach Ports

Attach the created ports.

An error occurred on the port attachment process, the indicator turns red. Please retry after 10 minutes or so. In case the error failed to be corrected, please inform us via the Enterprise Cloud 2.0 ticket system.
Start the UTM

Start the user's Managed Firewall/UTM.

An error occurred on the starting process, the indicator turns red. Please retry after 10 minutes or so. In case the error failed to be corrected, please inform us via the Enterprise Cloud 2.0 ticket system.

Wait for UTM Ping Reachability from MSA.

Confirm the connection status of the user's Managed Firewall/UTM.

An error occurred on the connection verification process, the indicator turns red. Please retry after 10 minutes or so. In case the error failed to be corrected, please inform us via the Enterprise Cloud 2.0 ticket system.
Verify License Validity

Check the validity of the license.

If it turns red, there is a problem with the license. Please apply again after about 10 minutes. If the problem persists, please contact us at Enterprise Cloud 2.0 Ticket System.
Update UTM (Interfaces)

Update configuration of Managed Firewall / UTM interfaces.

An error occurred on the configuration updating process, the indicator turns red. Please retry after 10 minutes or so. In case the error failed to be corrected, please inform us via the Enterprise Cloud 2.0 ticket system.
Update UTM Proxy ARP

In HA Configuration, update Proxy ARP configuration of Managed Firewall / UTM.

An error occurred on the configuration updating process, the indicator turns red. Please retry after 10 minutes or so. In case the error failed to be corrected, please inform us via the Enterprise Cloud 2.0 ticket system.
Device Backup

Save the changed settings to the system.

An error occurred on the system, the indicator turns red. Please retry after 10 minutes or so. In case the error failed to be corrected, please inform us via the Enterprise Cloud 2.0 ticket system.
Start Ping Monitoring

Ping Monitoring is resumed after application of the port setting.

When temporary halt of Ping Monitoring fails, the indicator turns red. Please retry after 10 minutes or so. In case the error failed to be corrected, please inform us via the Enterprise Cloud 2.0 ticket system.

Confirm all tasks have been completed normally (becoming green status.)