Screen OS

last person joined: 8 months ago 

This is a legacy community with limited Juniper monitoring.

  • 1.  How to config High Available on SSG Firewall?

    Posted 12-30-2010 20:30

    We have 02 Juniper SSG Firewall, please help us to config HA in order to redundant this segment.



  • 2.  RE: How to config High Available on SSG Firewall?
    Best Answer

    Posted 12-30-2010 20:33

    Hi JangJang,

     

    You can config like this :

     

    Product: ScreenOS (SSG550)

     

    Version: 6.0

     

    Network Topology: N/A

     

    Description:

    The configuration below shows you how to configure NSRP cluster (High Available). Device with lowest priority will become Master (Active) and the other is Slave (Standby).

     

    Configuration:

     

    Device 1:

    set nsrp cluster id 1

    set nsrp vsd-group id 0 priority 50

    set nsrp rto-mirror sync

    set nsrp monitor interface eth0/0

    set nsrp monitor interface eth0/2

    save

     

    Device 2:

    set nsrp cluster id 1

    set nsrp vsd-group id 0 priority 100

    set nsrp rto-mirror sync

    set nsrp monitor interface eth0/0

    set nsrp monitor interface eth0/2

    save

     

    Advance configuration:

    /* Sync Files */

    exec nsrp sync file from peer    

     

    /* or synchronize a single file */

    exec nsrp sync file name <name_str> from peer

     

    /* Sync/resync PKI objects (CA cert, key pairs, CRLs) */

    exec nsrp sync global-config save

    /* Sync Configuration */

    exec nsrp conf sync

     

    Verification:  

     

    /* Check Synchronization */

    exec nsrp sync glocal-config check-sum

    Link: http://forums.juniper.net/t5/Configuration-Library/Configure-NSRP-on-ScreenOS/td-p/69294

    Regards,



  • 3.  RE: How to config High Available on SSG Firewall?

    Posted 12-31-2010 06:04

    To setup an NSRP HA cluster on the SSG

     

    1- Verify the version of software and hardware support the function in kb11432 some devices need to purchase an extended license for this to work.

     

    http://kb.juniper.net/InfoCenter/index?page=content&id=KB11432


    Simple configuration:

    The simplest configuration is outlined in kb11107 this requires two interfaces for the heartbeats and traffic between the firewalls and your normal trust/untrust interfaces.

     

    http://kb.juniper.net/InfoCenter/index?page=content&id=KB11197


    Guided questions:

    You could review the guided scenario questions in kb9809 and choose the best fit for your network.

     

    http://kb.juniper.net/InfoCenter/index?page=content&id=KB9809

     

    References:

     

    The full description of the operations and functions are found in the Concepts and Examples documentation in Volume 11 for High Availability.  This link is for screenos version 6.2 which is the current JTAC recommendation but you can change to other versions on this page if you are not using this one.

     

    http://www.juniper.net/techpubs/software/screenos/screenos6.2.0/index.html



  • 4.  RE: How to config High Available on SSG Firewall?

    Posted 12-31-2010 07:34

    Thanks dongp & spuluka. Your informations are useful, I solved this.



  • 5.  RE: How to config High Available on SSG Firewall?

    Posted 11-14-2017 13:51

    Do we need to create a VSD group as part of HA if we don't care which server should be the master?

     

    Also, some of the documentation refers to having the manage IP as part of the VSI configuration. Why is that needed and not just simple use the manage IP of the "regular" interface?

     

    Thanks



  • 6.  RE: How to config High Available on SSG Firewall?

     
    Posted 11-14-2017 21:41

    No, a VSD group is not necessary. VSD-0 gets created automatically when clustering is enabled. You just need to tweak the priority values on individual boxes.

     

    There is no 'seperate' manage-ip for NSRP. It is the same as interface manage-ip. When 2 devices become a part of the cluster, the Master FW becomes the owner of the inteface IP, leaving the backup unmanageable via inband options.

     

    Adding a dedicated manage-ip to each device will ensure that you can manage both of them individually.

     

    Note: This thread is already marked as Solved and might not get the attention of all Forum users. If you have more queries, I suggest you create a new thread.



  • 7.  RE: How to config High Available on SSG Firewall?

    Posted 11-15-2017 03:07

    As Gokul notes, creating vsd groups is optional but it is an important choice whether or not you use them.

     

    Without the vsd group your interfaces on the two devices are essentially independent of each other and your devices are Active/Active for traffic.  

     

    With vsd groups your setup the failover of interfaces from one device to the other when the failover conditions are met.  So your main design question is will the cluster be active/passive or active/active.  Most setups are active/passive where if a failure occurs all traffic shifts to the backup passive firewall during a triggered failover.

     

    Then proceed with the basic setup of the cluster from there.

     

    active/passive

    https://kb.juniper.net/InfoCenter/index?page=content&id=KB6015 

     

    active/active

    http://kb.juniper.net/InfoCenter/index?page=content&id=KB9809

     



  • 8.  RE: How to config High Available on SSG Firewall?

    Posted 11-15-2017 06:48

    Thanks for the extra information! I'll follow your suggestion and open an new thread for follow up on this if I have more questions.