Screen OS

Hi,

We have  SSG140 with the following setup:

ethernet0/7     192.168.20.251/24     Trust     Layer3     Up

ethernet0/8     216.243.77.xxx/26     Untrust     Layer3     Up

ethernet0/9     192.168.10.251/24     Trust     Layer3     Up

[7] is only used for directly connecting the wan side/interface of a load balancer to it

[8] is the outside/real-ip/wan side

[9] is used to connect all the servers and the lan side/interface of the load balancer through a switch

Image Attached that explains our setup

What we need to do now isstart on making all our nodes redundant - so we need to add a 2nd load balancer and a 2nd firewall

Starting with the load balancer we are told that we need to connect the wan port of each unit to the same network with different Ip addresses

I know we can do that by introducing a switch between the load balancer and the firewall but I am interested in knowing if there is a way to make two ports/interfaces in the firewall act as if they are both in the same network [namely here interface 7]

Like can we have two ports of the firewall with the same setup so that we could connect each unit of the load balancer to one of them.

One last question - what should I study to get to know every thing about the firewall setup including the terminology and basic concepts? is there a course for that provided by juniper? - because I noticed that the help files assumes you already know all the concepts and terminology.

Thanks a lot for your help

Under Network, Routing, Virtual Routers, Edit Trust-VR and put the check mark in "Ignore Subnet Conflict for Interfaces in This VRouter" This should alow you to do what you are asking.

Juniper training is avaible worldwide. See more @ http://www.juniper.net/us/en/training/technical_education/

Hi Jason,

I am sorry - I just noticed I made a mistake in the diagram - interface 7 currently is 192.168.20.251 - does that change your answer?

What we need to do is still the same.

So will we still be able to configure two interfaces with the same configurations as long as I do check the option you mentioned and both interfaces will work normally and accept traffic and route it to other networks/interfaces?

Thanks

M. Hammad

To add the second load balancer on your DMZ eth0/7 you can use the bgroup option.  Bridge groups put multiple interfaces into a layer 2 bridge with the ip address assigned on the firewall to the group and not the individual interfaces.  Thus you can put two load balancers each with their own 192.168.20.0/24 address directly connected to eth0/7 and eth0/6 and the firewall ip address of 192.168.20.251 assigned to bgroup0 with both these interfaces as members.

Ultimately for dual firewalls you will need to have these connections on a switch vlan.  Otherwise when a firewall failover occurs the load balancers cannot reach the working firewall.  You would also deploy two switches so they don't become a single point of failure.  

For dual firewalls you have one or two HA ports directly connected that pass the sync and traffic information.

And finally you would install two NIC in each server and configure them as a team so they appear as a single card to the OS.  Then each one goes to a different switch.  Again if a switch fails all servers are still up.  Or you can simply put half the servers on one switch and the rest on the other.

Attached is a quick and dirty representation.

Documentation

Here some general resources you can use to learn the systems.

Concepts & Examples Guide documentation (free but very long and detailed) - The feature set is rich.  Skim the table of contents for each volume and determine which features are applicable to your network. Then you can use the sample concepts and examples in these guides to create the configuration on your test unit.  You may need other firewalls to create routing or VPN tunnels with for these exercises.
 
http://www.juniper.net/techpubs/software/screenos/screenos6.2.0/index.html


NetScreen JNCIS-FWV Study Guide (PDF)  - unofficial study guide compiled by Jason Ha.  He is a network engineer that also prepped for the exam and shares this material.


http://sin.pvs.ro/NetscreenJNCIS-FWV-StudyGuide-v1.3-public.pdf


Configuring Juniper Networks NetScreen & SSG Firewalls - If you want a more formal organized introduction, the Syngress introduction to SSG firewalls is really well done.  Experienced people can skip the opening chapters that start with even the networking firewall basics but this organizes and introduces the major concepts of ScreenOS configuration and I found it very helpful.
 
http://www.amazon.com/Configuring-Juniper-Networks-NetScreen-Firewalls/dp/1597491187/ref=sr_1_2?ie=UTF8&s=books&qid=1267879875&sr=8-2
 
ScreenOS Cookbook - There is also the Oreilly "Cookbook" for the ScreenOS.  This is a great reference I use as a first stop for setting up new features.  It is a quick and dirty guide to how to perform specific functions.  There is not really anything here that is not in the concepts and examples documenation, and that is the place to go when you don't understand or need to modify a configuration presented here, but it is a very convenient short cut for me.
 
http://www.juniper.net/us/en/training/jnbooks/screenos_ckbk.html

Mr. Steve,

I can't find the words to describe how much appreciation I have for your help with the situation - you took the time to even address other points you knew I will face later on that had nothing to do with the firewall.

Thanks a lot Sir. Appreciated.

I'll be trying this solution over the next couple of weeks as we only have one firewall and trials will be in weekends only - I'll report back once complete.

Regards