2.2.18.2. HA Configuration Network Management¶
2.2.18.2.1. Interface setting¶
2.2.18.2.1.1. The default State : "Interface"¶
By default, any interface has been set up.
Port 1 is reserved in advance as a necessary port for this menu. This is not shown.
Port 2 and 3 are necessary ports for HA Configuration. The message indicates these ports have been set in advance; the user cannot change this setting.
Port 4 - 10 are interfaces available for the customers.
2.2.18.2.1.2. Setting Items : "Interface"¶
Following are the setting items as describes below:
Items |
Values |
Descriptions |
|---|---|---|
| Port | Port [ 4 - 10 ] |
Port number is shown; yet, the user cannot edit. |
| Enable Port | "✔" (Marking to the checkbox) |
Marking to the "Enable Port" box allows you to input the parameter.
On the other hand, once you have unmarked to the checkbox, your input value will disappear.
|
| MTU Size | 100-9000 [byte] | The user can specify the interface's MTU size.
Default value is 1500 bytes.
|
Device ID |
UTM-XXXXXX | The user's device name for each HA pair device name is shown.
The user cannot edit.
|
| IP Address [CIDR] | XXX.XXX.XXX.XXX/24 | Input IP Address being assigned to the port.
You need to specify any IP address from the range of IP address on Subnet ID & Network ID selected as described below:
Subnet masks need to be input in the CIDR format.
For HA Configuration, IP address will be allocated to each HA pair device.
|
Network ID |
(Select from the list) |
Select any Network ID you want to use from your Network list. |
Subnet ID |
(Select from the list) |
Select a specific Subnet ID from the available Subnet list in your selected Logical Network. |
| VRRP Group ID | (Select from the list) |
Select VRRP Group ID
Use the same Group ID to all interfaces.
All interfaces under the same Group ID will operate in synchronism to match Master-Slave. For example, when the External side of an interface fails over, the Internal side of the interface under the same Group ID will fails over.
|
| VRRP ID | (Select from the list) |
Select VRRP ID.
Each interface requires individual VRRP ID.
If the user employs VRRP to the other device used in a pair, it is necessary to select a different VRRP ID for it.
|
| VRRP IP | XXX.XXX.XXX.XXX | Enter IP address of VRRP.
Subnet mask is not required.
|
| Virtual MAC | XX:XX:XX:XX:XX:XX | After the user completes the setting of Manage Interfaces, a Virtual MAC address is automatically allocated.
The user cannot edit.
|
| Preempt | "✔" (Marking to the checkbox) |
You can choose to use Preempt mode or not. If you uncheck it, you can set Preempt mode to OFF.
When using Preempt mode, the device automatically fails back when it determines the conditions under which it can fail back.
If devices are under the same Group ID, the Preempt mode status of those should be matched.
See the note below for ON / OFF of Preempt mode.
From October 19, 2021, the default value of Preempt has been changed from OFF to ON.
It has no effect on existing interface settings.
|
| Comment | (Half-width alphabetic characters & half-width numbers) |
The user can put comments.
Fill in your comment by using less than 225 letters. You can NOT utilize any two-bytes characters, such as Japanese.
|
Note
- When using VRRP, "enable" the DHCP function (address setting function) of the logical network to be connected.If the DHCP function has been "disabled", an ARP request is executed with source address 0.0.0.0 with respect to the network of NTT Com.It has been confirmed through an NTT-supplied Load Balancer, Managed FW/UTM, and others that an ARP reply is not returned in this case. Redundancy by VRRP is affected and communication disconnection may be continued when switching is made.
If you create a logical network name under specific conditions, the created network will not be displayed. When creating a logical network, See here .
- Description of Preempt settings
- For Preempt ONMulticast, broadcast, unlearned unicast communication (BUM (Broadcast / Unknown Unicast / Multicast) communication is unstable, the number assigned to the device on some ports is the youngest to the oldest, and the oldest to the youngest. Since switching occurs to, a total of 2 switchings will occur, but communication will be automatically restored.If a switch occurs in VRRP for another reason, the switch will also occur from the young number to the old number and from the old number to the young number, so a total of two changes will occur.
- When Preempt OFFWhen BUM communication is unstable, some ports are switched from the young number assigned to the device to the old number, asymmetric communication occurs, and communication will not be restored unless the customer responds (restarts).When a VRRP switch occurs for another reason, there is one switch from the active device to the standby device.
2.2.18.2.1.3. Prohibited IP address¶
The IP addresses below are not available for Interface, Routing, Address Objects, Destination NAT and Source NAT.
If these IP addresses are used, the operation may cause some error.
- 100.65.0.0/16
- 100.66.0.0/15
- 100.68.0.0/14
- 100.72.0.0/14
- 100.76.0.0/15
- 100.78.0.0/16
- 100.80.0.0/13
- 100.88.0.0/15
- 100.91.0.0/16
- 100.92.0.0/14
- 100.126.0.0/15
2.2.18.2.1.4. Prohibit VRRP ID¶
Following VRRP ID cannot be used as Managed Firewall/UTM and the devices connected to Managed Firewall/UTM.
ID 11(Virtual MAC address00:00:5e:00:01:0b)
2.2.18.2.1.5. Preparing for the New Settings.¶
- Click [WORKFLOWS] -> [Workflows] -> [Cluster Port Management] to open the interface setting details screen.In case of HA Configuration, [UTM Port Managemen] is not used.
- To enable the user network information to be referred to, click and select the device to be set, and then click [ Get Network Info ].
- The Task Status is displayed. When the Get Network Info task turns green, it is successful. Click [Close] to close it.
- Select the target HA pair for setting by clicking, and click [ Manage Interfaces ].
- The [ Manage Interface ] screen will be opened. In the screen, Port 2 and 3 are not shown.Select the target port for setting, then click "Edit".
- By marking the check box for the [ Enable Port ], the user can input the setting value.
- Select each device and press [Edit].
- Enter the real IP address to be set for each device, and click [Save].
Note
The [ IP Address[CIDR] ]should be input in the CIDR style as the example below shows.
Example:
192.168.2.100/24
[IP Address]+[/]+[Subnet]
- Enter the setting value.
Note
Please remind the issues below when entering the setting value.
- Actual IP Address and Virtual IP Address (VRRP IP) for Each DeviceAs the example below shows, allocate an actual IP address to each device. And set a virtual IP address (VRRP) for it as well.Example:Enter 192.168.2.101/24 for the first device.Enter 192.168.2.102/24 for the second device.If there is the indication as IP Address[CIDR], use the CIDR style.Format in the CIDR style: IP address/subnet (prefix length)For VRRP IP address, enter the IP address simply without using the CIDR style.
- VRRP Group IDVRRP Group ID is used to track the status (Master and Slave) on all interfaces using the same Group ID.Use the same Group ID for the interface setting VRRP, which allocated to Port 4 - 10 in the same device (within a HA pair). If any different Group ID is used, operation may fail in case failover or relevant problem occurs.
- VRRP IDVRRP ID is linked with virtual MAC address. VRRP ID and the allocated virtual MAC to the ID is commonly defined among companies in accordance with the rules below:
VRRP ID Virtual MAC Address
1 00:00:5e:00:01:01 2 00:00:5e:00:01:02 ... ... 10 00:00:5e:00:01:0a ... ... 20 00:00:5e:00:01:14 ... ... 70 00:00:5e:00:01:46 If VRRP is used at the other device in pair of Managed Firewall and Managed UTM, each device needs different VRRP ID independently. When both devices use the same VRRP ID, they cannot communicate normally. - ID 11 (virtual MAC address 00: 00: 5e: 00: 01: 0b) can not be used as the VRRP ID of the Managed Firewall / UTM and adjacent devices.
Input the setting value, and click [ Save ]. Please remind that this action itself does not apply the saved data to the device.
Once you have prepared for the port settings, please apply for the new settings accordingly by the procedure of "Applying configuration".
2.2.18.2.1.6. Applying the new Settings¶
The setting applying process is common to Single Configuration and HA Configuration.
- Once you have prepared a port being utilized, click [ NOW RUN ] at the Manage Interface screen.
- [ Task Status ] is displayed.
Following describes respective task statuses.Task Colors
Task Statuses
"Blue"
Processing Task
"Green"
Task normally completed
"Red"
Task with Unknown-Issue.
- When completed normally, all statuses turn green. Click [x] to close the window.
2.2.18.2.1.7. Task Status and Error (Red) Solution¶
Note
Any error (status in red color) occurred at the timing of interface setting applying may effect on the user's communication. Please make sure to check the details of the error and correct it before all tasks are completed.
Occurrence of an error results in display like this in [ Task Status ].
If [ Task Status ] has been closed, an error is indicated by [ Status ] of Port Management, and the buttons of Get Network Info and Manage Interface are disabled until the problem is solved.
If clicking the area which show [ Status ] and [ Message ], the history is displayed. On the history, the status of an error occurrence process turns red, and part of the error information is displayed in [ Details ] area.
To recover from the error, click [ Status Detail Display ] at the right end, followed by display of [ Task Status ].
Regarding an error occurrence task, the [ Continue Task ] button is displayed to the right of Details.
Clicking the [ Continue Task ] button causes the problematic setting screen to be displayed. Refer to the message in Details and correct the setting values.
In the example above where "Below IP Address / MTU inputs are Not OK. Please correct the values before running the Process again. IP Address XXX.XX.XX.XX is not in CIDR format." is shown, click the [ Continue Task ] button, correct the IP address, and then click [ Run Now ] again.
Note
In the case of the example above, the error message was brought as IP Address[CIDR] was not written in the CIDR style.
The [ IP Address[CIDR] ]should be input in the CIDR style as the example below shows.
Example:
192.168.2.100/24
[IP Address]+[/]+[Subnet]
Click [ Run Now ] after your updating settings, then "Tasks Status" screen will get back. [ Applying Configuration ] will resume.
Please wait for a moment until the last task is normally completed.
Click [ × ] at the [ Task Status ] screen.
About tasks status: when any status become red, check its task name (status), details and necessary actions for incident occurrence by referring to the table below. Then, execute retry.
Note
If the applying process is interrupted before the error is corrected, the user's Managed Firewall/UTM will keep its status being in shutdown, unconnected and/or no updated setting.
In case the error failed to be corrected by retrying, please inform us via the Enterprise Cloud 2.0 ticket system.
Task Name |
Task Description |
Necessary Action for Incident Occurrence (Red Status) |
|---|---|---|
| Set Context for First UTM | In the case of HA configuration, the environment for the first unit is prepared. The same tasks are executed in terms of the procedures from Verify to Attach Ports and the procedures from Start the UTM to Update UTM Proxy ARP. |
When an error occurs during environment preparation, the indicator turns red. Please retry after 10 minutes or so. In case the error failed to be corrected, please inform us via the Enterprise Cloud 2.0 ticket system.
|
| Set Context for Second UTM | In the case of HA configuration, the environment for the second unit is prepared. The same tasks as for the first unit are executed in terms of the procedures from Verify to Attach Ports and the procedures from Start the UTM to Update UTM Proxy ARP. |
When an error occurs during environment preparation, the indicator turns red. Please retry after 10 minutes or so. In case the error failed to be corrected, please inform us via the Enterprise Cloud 2.0 ticket system.
|
| Verify IP Address Inputs | The IP address (CIDR) to be set is verified. In the case of HA configuration, it is also verified that DHCP is effective on the connected network.
|
An error was detected through verification of the IP address (CIDR). Check the input value, make corrections, and retry.If this task turns red and a message "Logical Network connecting to Managed Firewall/UTM must be [DHCP ON]." is displayed with respect to HA configuration, check the network environment of the user. Then, if DHCP is found to be ineffective, make it effective and retry.If this task turns red and a message "Subnet xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx(ID number) does not exist." is displayed, there is a possibility that the latest network information could not be obtained, please inform us via the Enterprise Cloud 2.0 ticket system.
|
| Verify VRRP, MTU Inputs | VRRP and MTU to be set are verified. |
When an error is detected through verification, the indicator turns red. Check the input value, make corrections, and retry. |
| Import Ports | In case of HA Configuration, import ports information at the beginning of the process. |
An error occurred on the port setting process, the indicator turns red. Please retry after 10 minutes or so. In case the error failed to be corrected, please inform us via the Enterprise Cloud 2.0 ticket system.
|
| Stop the UTM | When starting the setting applying process, the user's Managed Firewall/UTM is temporally shutdown. (It will keep being in shutdown until the Start the UTM task is completed.)
|
An error occurred on the shutdown process, the indicator turns red. Please retry after 10 minutes or so. In case the error failed to be corrected, please inform us via the Enterprise Cloud 2.0 ticket system.
|
Wait for UTM Ping Reachability from MSA. |
Confirm the connection status of the user's Managed Firewall/UTM. |
An error occurred on the connection verification process, the indicator turns red. Please retry after 10 minutes or so. In case the error failed to be corrected, please inform us via the Enterprise Cloud 2.0 ticket system.
|
| Stop Ping Monitoring | Ping Monitoring is temporarily halted before application of the port setting. |
When temporary halt of Ping Monitoring fails, the indicator turns red. Please retry after 10 minutes or so. In case the error failed to be corrected, please inform us via the Enterprise Cloud 2.0 ticket system.
|
| Delete Ports | Ports will be deleted in order to apply the settings. |
An error occurred on the deleting the ports, the indicator turns red. Please retry after 10 minutes or so. In case the error failed to be corrected, please inform us via the Enterprise Cloud 2.0 ticket system.
|
| Create Ports | Create new ports. |
An error occurred on the port create process, the indicator turns red. Please retry after 10 minutes or so. In case the error failed to be corrected, please inform us via the Enterprise Cloud 2.0 ticket system.
|
| Attach Ports | Attach the created ports. |
An error occurred on the port attachment process, the indicator turns red. Please retry after 10 minutes or so. In case the error failed to be corrected, please inform us via the Enterprise Cloud 2.0 ticket system.
|
| Start the UTM | Start the user's Managed Firewall/UTM. |
An error occurred on the starting process, the indicator turns red. Please retry after 10 minutes or so. In case the error failed to be corrected, please inform us via the Enterprise Cloud 2.0 ticket system.
|
Wait for UTM Ping Reachability from MSA. |
Confirm the connection status of the user's Managed Firewall/UTM. |
An error occurred on the connection verification process, the indicator turns red. Please retry after 10 minutes or so. In case the error failed to be corrected, please inform us via the Enterprise Cloud 2.0 ticket system.
|
| Verify License Validity | Check the validity of the license. |
If it turns red, there is a problem with the license. Please apply again after about 10 minutes. If the problem persists, please contact us at Enterprise Cloud 2.0 Ticket System.
|
| Update UTM (Interfaces) | Update configuration of Managed Firewall / UTM interfaces. |
An error occurred on the configuration updating process, the indicator turns red. Please retry after 10 minutes or so. In case the error failed to be corrected, please inform us via the Enterprise Cloud 2.0 ticket system.
|
| Update UTM Proxy ARP | In HA Configuration, update Proxy ARP configuration of Managed Firewall / UTM. |
An error occurred on the configuration updating process, the indicator turns red. Please retry after 10 minutes or so. In case the error failed to be corrected, please inform us via the Enterprise Cloud 2.0 ticket system.
|
| Device Backup | Save the changed settings to the system. |
An error occurred on the system, the indicator turns red. Please retry after 10 minutes or so. In case the error failed to be corrected, please inform us via the Enterprise Cloud 2.0 ticket system.
|
| Start Ping Monitoring | Ping Monitoring is resumed after application of the port setting. |
When temporary halt of Ping Monitoring fails, the indicator turns red. Please retry after 10 minutes or so. In case the error failed to be corrected, please inform us via the Enterprise Cloud 2.0 ticket system.
|
Confirm all tasks have been completed normally (becoming green status.)
2.2.18.2.2. Routing Settings¶
Set up a static route for each device.
For HA configurations, routing is set in [Workflow].
Click [ Cluster Route Management ].
In the HA configuration, in [Routing] of [Device Management], you can check the contents set in [Cluster Route Management] of [Workflow].
2.2.18.2.2.1. Routing Default Value¶
At the default setting, any routing for the user network is not made.
By default, any gateway have not been set up. You need to set up a default gateway depending on your own environment.
2.2.18.2.2.2. Routing : Setting Items¶
The following items are necessary for the routing settings.
Items |
Values |
Descriptions |
|---|---|---|
ID |
(Auto-Assign) |
This ID is automatically assigned. |
Destination IP Address |
xxx.xxx.xxx.xxx | Input a Destination IP Address with decimal notation. |
| Mask | xxx.xxx.xxx.xxx | Input the Destination Subnet mask with decimal notation. |
Gateway |
xxx.xxx.xxx.xxx | Input the Routing Gateway IP Address with decimal notation. |
Interface |
Port [ 4 - 10 ] |
You need to select a port to which this Routing will be set up. |
| Comment | (Half-width alphabetic characters & half-width numbers) |
Fill in your comment if you like.
Fill in your comment by using less than 225 letters. You can NOT utilize any two-bytes characters, such as Japanese.
|
Note
Default Gateway
If you want to set it as the default gateway, enter Destination IP 0.0.0.0, Mask 0.0.0.0 and specify the Gateway address and interface.
2.2.18.2.2.3. Prohibited IP address¶
The IP addresses below are not available for Interface, Routing, Address Objects, Destination NAT and Source NAT.
If these IP addresses are used, the operation may cause some error.
- 100.65.0.0/16
- 100.66.0.0/15
- 100.68.0.0/14
- 100.72.0.0/14
- 100.76.0.0/15
- 100.78.0.0/16
- 100.80.0.0/13
- 100.88.0.0/15
- 100.91.0.0/16
- 100.92.0.0/14
- 100.126.0.0/15
2.2.18.2.2.4. Creating Additional Routing¶
- Click [Manage Routes] of [Cluster Route Management] displayed in [Workflow].
- Click [ Add ].
- Enter the setting value, and click [ Save ].For the details of setting items, please refer to Routing : Setting Items.
- When the setting is ready, click [ Run Now ] to start applying.For the details of applying methods, please refer to Applying the new Settings .
2.2.18.2.2.5. Routing Modification¶
- Click [Manage Routes] of [Cluster Route Management] displayed in [Workflow] from [Services].
- Select the target lines to be modified, and click the relevant button for operation.
Descriptions of each button's function at the [ Manage Routes ]
Buttons
Descriptions
Edit
The user can modify the routing setting value that has already entered.
Remove
The user can delete the selected routing setting.
- When the setting is ready, click [ Run Now ] to start applying.For the details of applying methods, please refer to Applying the new Settings .
2.2.18.2.3. Configure Proxy ARP¶
Configure Proxy ARP to a device.
Proxy ARP is set from the [Cluster Port Management] screen from [Workflow] show in [Service].
|
Configuration that is not required Proxy ARP setting`` |
If NAT setting IP address is in the same as the network which interface connected toin HA Configuration,Proxy ARP setting is required..
|
If NAT setting IP address is not in the same as the network to which interface connected
even in HA Configuration,
Proxy ARP setting is NOT required.
.
|
Example:
 When using .100 as the IP address of NAT from the network 192.168.1.0/24 to which the interface is connected
|
Example:
 When using an address different from the network 192.168.1.0/24 to which the interface is connected 192.168.2. × as the IP address of the NAT
|
2.2.18.2.3.1. Default value of Proxy ARP¶
By default, any interface has been set up.
Please configure according to customer's environment.
2.2.18.2.3.2. Configure items of Proxy ARP¶
Proxy ARP need to be configured per Interface(Port).
Following shows the list of setting items in Proxy ARP.
Items |
Values |
Descriptions |
|---|---|---|
ID |
(Auto-Assign) |
This ID is automatically assigned. |
| IP Address | xxx.xxx.xxx.xxx | It is the IP address to be checked against the virtual MAC (VMAC) by the proxy ARP function.
Specify with a single IP address or range. For a range, you can connect the start address and the end address with a hyphen.
|
Up to 100 ID can be created per one interface.
The maximum number of IP addresses is 256 per interface. Even when specifying by range, the number within that range is counted.
In following example, the ID is counted as 2 and the IP address is counted as 31.
Example:
ID1: 192.168.2.100
ID2: 192.168.2.101-192.168.2.130
2.2.18.2.3.3. Add Proxy ARP¶
- Click [Manage Proxy ARP] of [Cluster Port Management] from [Workflow] show in [Service].
- Select configure target interface (Port), then click [Edit].
- Click [ Add ].
- Enter the setting value, and click [ Save ].For the details of setting items, please refer to Configure items of Proxy ARP .
- When the setting is ready, click [ Run Now ] to start applying.For the details of applying methods, please refer to Applying the new Settings .
2.2.18.2.3.4. Change Proxy ARP¶
- Click [Manage Proxy ARP] of [Cluster Port Management] from [Workflow] show in [Services].
- Select configure target interface (Port), then click [Edit].
- Click on the line you want to change and click on one of the change operation buttons.
Descriptions of each button's function at [ Manage Proxy ARP ].
Buttons
Descriptions
Edit
Update parameter of Proxy ARP already configured.
Remove
Delete configuration of selected Proxy ARP.
- Change or delete parameter, then click [Save].For the details of setting items, please refer to Configure items of Proxy ARP .
- When the setting is ready, click [ Run Now ] to start applying.For the details of applying methods, please refer to Applying the new Settings .
2.2.18.2.4. Device Stop / Start¶
It is a procedure to stop or start the customer's Managed FW/UTM of HA configuration plan.
In the HA configuration plan, Stop and Start the First Unit or Second Unit separately.
On the Cluster Port Management screen, click [Stop / Start UTM] that you want to stop / start.
Since the Stop/Start First Unit (Stop/Start Second Unit) screen is displayed, click [ Run Now ].
The image is for First Unit, but it is the same for Second Unit.
The task status screen is displayed. It does not start automatically after Stop. [Pause] turns orange.
If you want to start the device, click [ Continue Task ].
If [Pause] remains orange and you close the task status, you can resume it from the [Live Console].
Since the Stop/Start First Unit (Stop/Start Second Unit) screen is displayed, click [ Run Now ].
"Pause" turns green and device startup starts. Please wait until "Start Ping Monitoring" turns green.
Close the Tasks status screen with [x].
2.2.18.2.5. Other Features¶
Status
Click [WORKFLOWS] -> [Workflow] -> [Status} to display the execution history of Manage Interfaces.
At the history screen, when you click [ task status ], the [ Task Status ] screen will display, showing the history of executed tasks.
Live Console
Click [WORKFLOWS] -> [Workflows] -> [Live Console] to open [Task Status] directly.
Details
Click [WORKFLOWS] -> {workflow] -> [Detail] to show or hide the section below.
Dashboard
Click the dashboard on the [WORKFLOWS] screen to see a graph of process and status history.
On the Dashboard, the user can choose either [ a week ago ] or [ a month ago ].
Click [Workflow] -> [Cluster Port Management] to return to the original screen.
Narrowing down display
You can narrow down the devices to be displayed by entering the device name in the search of [WORKFLOWS] -> [Workflow] -> [Cluster Port Management].
2.2.18.2.6. Ping Execution¶
In [Ping Execution] , customer can ping to any IPaddress from customer's Managed Firewall/UTM/WAF instance.
Click [WORKFLOWS] -> [Workflow] -> [Ping Execution].
Click on [Execute Ping].
Select Ping target device by [Device ID] and input target IPaddress, then click [Execute Now].
Once Ping is completed, the result will appear.
Detail of result can be checked at [Live Console].
2.2.18.2.7. Device Config Export¶
[Device Config Export] can output the contents set by Device Management to the CSV file for each device.
Click [WORKFLOWS] -> [Workflow] -> [Device Config Export].
Click [Export Config].
Select target device by [Device ID] , and click [ Run Now ].
The [Task Status] is displayed. When the Export Config task turns green, it is completed normally. Click [Close] to close it.
For the created file, you can check it at Document .
Note
By reloading the browser it will be reflected in Document .
Please refer to Document about how to download documents.
For information on how to read the created file, please see How to read the export file .
Note
The contents set with Network Management are not output.