Gaia VRRP setup guide
Contents |
create VRID and backup-addresses
from clish prompt, create vrid, add backup-addresses, save config. The commands run are basically the same except for the priority.
Expert@chkpfw1]# clish chkpfw2> add mcvr vrid 100 priority 100 priority-delta 10 chkpfw2> add mcvr vrid 100 backup-address 172.16.31.1 chkpfw2> add mcvr vrid 100 backup-address 192.168.175.1 chkpfw2> save config |
Expert@chkpfw2]# clish chkpfw2> add mcvr vrid 100 priority 95 priority-delta 10 chkpfw2> add mcvr vrid 100 backup-address 172.16.31.1 chkpfw2> add mcvr vrid 100 backup-address 192.168.175.1 chkpfw2> save config |
configure cluster object
If upgrading from SecurePlatform, you will need to set the O.S. verions. When you do this, the "ClusterXL" option on the left side will expand to read "ClusterXL and VRRP"
Select VRRP as your HA method. Also, I like to enable the "Forward Cluster Incoming traffic..." option. Otherwise you cannot ping your VRRP backup / cluster IPs to see if they are working.
Add rule to allow vrrp adverstisements
Failure to do so will cause master/master status.
Proxy arps
If you have NATs with associated proxy arps, then you will need to adjust this to match the new VRRP configuration. VRRP by default uses a multicast MAC. Most likely, if you are upgrading from SPLAT and CPHA, your proxy arps were using unicast MACs.
The VMAC will be 00:00:5e:00:01:xx, where xx = the hexadecimal form of you VRID. So, in this example our VRID is 100, so the VMAC is 00:00:5e:00:01:64. You can view this by running...
[Expert@chkpfw1]# clish -c "show vrrp interfaces" | grep -i vmac VMAC Mode: VRRP VMAC: 00:00:5e:00:01:64 VMAC Mode: VRRP VMAC: 00:00:5e:00:01:64
Checking your configuration
[Expert@chkpfw1]# clish -c "show vrrp summary" |
[Expert@chkpfw2]# clish -c "show vrrp summary" |
Verify your vrrp backup address is in effect. It will NOT show up in ifconfig output. Also, you cannot ping the backup-addresses in Gaia like you could in ipso.
Expert@chkpfw1]# ip addr show eth0 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:0c:29:d8:3e:56 brd ff:ff:ff:ff:ff:ff inet 172.16.31.9/28 brd 172.16.31.15 scope global eth0 inet 172.16.31.11/28 brd 172.16.31.15 scope global secondary flags 10 eth0 <<< this line is the vrrp backup-address
Failover
To control which firewall is master, adjust the priorities. In the beginning we set chkpfw1 priority to 100, and chkpfw2 to 95. If we elevate the priority of the latter, it will become master.
Example:
chkpfw2> set mcvr vrid 100 priority 105