Scribd
Upload
45 views7 pages

Sow & Poa Firewall - Hdbfs - v1.1

Uploaded by

Raj Khanna
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as XLSX, PDF, TXT or read online on Scribd
45 views7 pages

Sow & Poa Firewall - Hdbfs - v1.1

Uploaded by

Raj Khanna
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as XLSX, PDF, TXT or read online on Scribd
You are on page 1/ 7

Task Scope of Work for Firewall HA Configuration and Testing

1 Review and Prerequisites fulfillment


1.1 HA Group Name
1.2 Cluster Password
1.3 Heartbeat Interfaces and Interfaces to be monitored
1.4 IP address/VLAN to be configured (Switch SVI IP)
1.5 Reachability to remote IP address from Firewall Interface
1.6 Backup of Firewall devices
2 Configuration and Verification
2.1 Configuration of SVI on switch with reachability to Firewalls
2.2 Configuration of Remote Link Monitor and HA on Firewalls
2.3 Verification of HA status and reachability
3 HA Failover scenario Testing of Firewalls
4 Final Document for Test case scenarios

Task Scope of Work for DMZ-STACK SWITCH Configuration and Testing


1 Review and Prerequisites fulfillment
1.1 To Save the Running config of the DMZ-STACK Switch
1.2 To Conduct pre-activity application checks and confirmation by HDBFS
1.3 To Take Config back up of the DMZ-Stack Switch
1.4 Required Vlan 6 Range Free IP address ( + Subnet Mask ), which is not
used anywhere in the Network
2 Configuration and Verification
2.1 Configuration of SVI on DMZ-Stack Switch
2.2 Verification and reachability test with Firewall
2.3 To Conduct post-activity application checks and confirmation by HDBFS
2.4 To Save the Running config of the DMZ-STACK Switch post Successful activity
POA - Fortigate HA Cluster Co
Sr. No. Task Activity

• HA Group Name
• Cluster Password
• Heartbeat Interfaces and Interfaces to be monitored
1 Prerequisites • Remote IP address to be monitored (Switch SVI IP)
• Reachability to remote IP address from Firewall Interface
• Backup of Firewall devices

GUI Configuration of HA parameters on Primary and Secondary


Firewall

Configuration of HA
2 and Remote Link
Monitor

CLI Configuration of Remote Link Monitor and HA parameters on


Primary and Secondary Firewall

• Check the HA Status in GUI and CLI


3 HA Test • Test Failover Scenario

If HA failed, revert all the HA configurations to previous configuration


4 Rollback
as per backup
- Fortigate HA Cluster Configuration with Remote Link-monitoring
Execution Responsibility

NA HDBFS

1. Configuration of Mode Active-Passive on both the firewalls


2. Configuration of Device Priority (Higher on Primary, >128)
3. Configuration of Group name and Password on both the firewalls
4. Configuration of Monitor Interfaces
5. Configuration of Heartbeat Interfaces

1. Configuration of Remote Link Monitoring


config system link-monitor
edit ha-link-monitor
set server <IP address to be monitored>
set srcintf <Egress Interface to Server IP address> HDBFS/Softcell
set ha-priority 1
set interval 1
set failtime 5
end
2. Configuration of HA Parameters
config system ha
set override enable
set override-wait-time 300
set pingserver-monitor-interface <Egress Interface to Server IP address>
set pingserver-failover-threshold 0
set pingserver-slave-force-reset enable
set pingserver-flip-timeout 60
end

1. Test Failover by disconnecting physical connectivity from Primary Firewall


to Fireeye
2. Test Failover Override by connecting cable back from FIreeye to Primary
Firewall
3. Test Failover by making remote server IP unreachable from Primary
HDBFS/Softcell
Firewall
4. Test Failover Override by establishing communication of Primary Firewall
with remote server IP

Reverting the HA configuration back to current setup HDBFS/Softcell


Estimated Time Dependancy Downtime

1 Day NA No

GUI and CLI admin access for


60 Mins Yes
both the Firewalls

Physical Removal of cables


90 Mins onsite. And admin access to Yes
switch.

GUI and CLI access for both


30 mins Yes
the Firewalls
POA - DMZ-Stack Switch SVI C
Sr. No. Task Activity

• Required Vlan 6 Range Free IP address ( + Subnet Mask ), which is


not used anywhere in the Network ( HDBFS Should check and
confirm the same before providing the IP address )
1 Prerequisites • Config Backup of DMZ-Stack Switch •
Config level access required on DMZ-Stack Switches to configure
SVI

Configuration of SVI on DMZ-


CLI Configuration on DMZ-Stack Switch
Stack Switch

• Check the Reachability from DMZ-Stack Switch to Firewall


3 ICMP / Reachability Test • Application Testing

If HA failed, revert all the DMZ-Stack Switch configuration to


4 Rollback
Previous working configuraiton
DMZ-Stack Switch SVI Configuration
Execution Responsibility Estimated Dependancy
Time

NA HDBFS 1 Day NA

1. Configuration of SVI on DMZ-Stack Switch


config t
interface vlan 6 Required CLI access to the
Softcell 30 Mins
ip address <ip address > < subnet mask> DMZ-Stack Switch
exit

1. Test ICMP Reachability from DMZ-Stack


Switch to Firewall ( Source VLAN 6 SVI <----> Vlan
6 Interface IP address configured on the FW )
2. Post
HDBFS/Softcell 30 Mins none
SVI Configuration All Application testing should
be carried out

Required CLI access to the


Will delete the SVI Configuraiton Softcell 30 mins
DMZ-Stack Switch
Downtime

No

Yes

Yes

No

You might also like