High Availability Configuration Guide

Version 9

Document version 9402-1.0-08/11/2006

HA Configuration Guide

2

IMPORTANT NOTICE Elitecore has supplied this Information believing it to be accurate and reliable at the time of printing, but is presented without warranty of any kind, expressed or implied. Users must take full responsibility for their application of any products. Elitecore assumes no responsibility for any errors that may appear in this document. Elitecore reserves the right, without notice to make changes in product design or specifications. Information is subject to change without notice. USER’S LICENSE The Appliance described in this document is furnished under the terms of Elitecore’s End User license agreement. Please read these terms and conditions carefully before using the Appliance. By using this Appliance, you agree to be bound by the terms and conditions of this license. If you do not agree with the terms of this license, promptly return the unused Appliance and manual (with proof of payment) to the place of purchase for a full refund. LIMITED WARRANTY Software: Elitecore warrants for a period of ninety (90) days from the date of shipment from Elitecore: (1) the media on which the Software is furnished will be free of defects in materials and workmanship under normal use; and (2) the Software substantially conforms to its published specifications except for the foregoing, the software is provided AS IS. This limited warranty extends only to the customer as the original licenses. Customers exclusive remedy and the entire liability of Elitecore and its suppliers under this warranty will be, at Elitecore or its service center’s option, repair, replacement, or refund of the software if reported (or, upon, request, returned) to the party supplying the software to the customer. In no event does Elitecore warrant that the Software is error free, or that the customer will be able to operate the software without problems or interruptions. Elitecore hereby declares that the anti virus and anti spam modules are powered by Kaspersky Labs and the performance thereof is under warranty provided by Kaspersky Labs. It is specified that Kaspersky Lab does not warrant that the Software identifies all known viruses, nor that the Software will not occasionally erroneously report a virus in a title not infected by that virus. Hardware: Elitecore warrants that the Hardware portion of the Elitecore Products excluding power supplies, fans and electrical components will be free from material defects in workmanship and materials for a period of One (1) year. Elitecore's sole obligation shall be to repair or replace the defective Hardware at no charge to the original owner. The replacement Hardware need not be new or of an identical make, model or part; Elitecore may, in its discretion, replace the defective Hardware (or any part thereof) with any reconditioned product that Elitecore reasonably determines is substantially equivalent (or superior) in all material respects to the defective Hardware. DISCLAIMER OF WARRANTY Except as specified in this warranty, all expressed or implied conditions, representations, and warranties including, without limitation, any implied warranty or merchantability, fitness for a particular purpose, non-infringement or arising from a course of dealing, usage, or trade practice, and hereby excluded to the extent allowed by applicable law. In no event will Elitecore or its supplier be liable for any lost revenue, profit, or data, or for special, indirect, consequential, incidental, or punitive damages however caused and regardless of the theory of liability arising out of the use of or inability to use the product even if Elitecore or its suppliers have been advised of the possibility of such damages. In the event shall Elitecore’s or its supplier’s liability to the customer, whether in contract, tort (including negligence) or otherwise, exceed the price paid by the customer. The foregoing limitations shall apply even if the above stated warranty fails of its essential purpose. In no event shall Elitecore or its supplier be liable for any indirect, special, consequential, or incidental damages, including, without limitation, lost profits or loss or damage to data arising out of the use or inability to use this manual, even if Elitecore or its suppliers have been advised of the possibility of such damages.

RESTRICTED RIGHTS Copyright 2000 Elitecore Technologies Ltd. All rights reserved. Cyberoam, Cyberoam logo are trademark of Elitecore Technologies Ltd. Information supplies by Elitecore Technologies Ltd. Is believed to be accurate and reliable at the time of printing, but Elitecore Technologies assumes no responsibility for any errors that may appear in this documents. Elitecore Technologies reserves the right, without notice, to make changes in product design or specifications. Information is subject to change without notice CORPORATE HEADQUARTERS Elitecore Technologies Ltd. 904 Silicon Tower, Off. C.G. Road, Ahmedabad – 380015, INDIA Phone: +91-79-26405600 Fax: +91-79-26407640 Web site: www.elitecore.com , www.cyberoam.com

HA Configuration Guide

3

Guide Sets

Guide Describes

User Guide Console Guide Console Management Windows Client Guide Installation & configuration of Cyberoam Windows

Client Linux Client Guide Installation & configuration of Cyberoam Linux

Client HTTP Client Guide Installation & configuration of Cyberoam HTTP

Client Analytical Tool Guide Using the Analytical tool for diagnosing and

troubleshooting common problems LDAP Integration Guide Configuration for integrating LDAP with Cyberoam

for external authentication ADS Integration Guide Configuration for integrating ADS with Cyberoam

for external authentication PDC Integration Guide Configuration for integrating PDC with Cyberoam

for external authentication RADIUS Integration Guide Configuration for integrating RADIUS with

Cyberoam for external authentication High Availability Configuration Guide

Configuration of High Availability (HA)

Multi Link Manager User Guide Configuration of Multiple Gateways, load balancing and failover

VPN Management Implementing and managing VPN Cyberoam IDP Implementation Guide

Configuring, implementing and managing Intrusion Detection and Prevention

Cyberoam Anti Virus Implementation Guide

Configuring and implementing anti virus solution

Cyberoam Anti Spam Implementation Guide

Configuring and implementing anti spam solution

HA Configuration Guide

4

Technical Support

You may direct all questions, comments, or requests concerning the software you purchased, your registration status, or similar issues to Customer care/service department at the following address: Corporate Office eLitecore Technologies Ltd. 904, Silicon Tower Off C.G. Road Ahmedabad 380015 Gujarat, India. Phone: +91-79-66065606 Fax: +91-79-26407640 Web site: www.elitecore.com Cyberoam contact: Technical support (Corporate Office): +91-79-26400707 Email: support@cyberoam.com Web site: www.cyberoam.com Visit www.cyberoam.com for the regional and latest contact information.

HA Configuration Guide

5

Typographic Conventions

Material in this manual is presented in text, screen displays, or command-line notation.

Item Convention Example

Server Machine where Cyberoam Software - Server component is installed

Client Machine where Cyberoam Software - Client component is installed

User The end user Username Username uniquely identifies the user of the system Part titles Bold and

shaded font typefaces Report

Topic titles Shaded font typefaces Introduction

Subtitles Bold & Black typefaces Notation conventions

Navigation link Bold typeface Group Management → Groups → Create it means, to open the required page click on Group management then on Groups and finally click Create tab

Name of a particular parameter / field / command button text

Lowercase italic type

Enter policy name, replace policy name with the specific name of a policy Or Click Name to select where Name denotes command button text which is to be clicked

Cross references

Hyperlink in different color

refer to Customizing User database Clicking on the link will open the particular topic

Notes & points to remember

Bold typeface between the black borders

Note

Prerequisites Bold typefaces between the black borders

Prerequisite Prerequisite details

HA Configuration Guide

6

Contents Overview 7 Cyberoam HA terminology 8 How Cluster works 10 Before configuring HA 10 Configure Primary appliance 11 Miscellaneous Settings 12 Disable HA 13 Switch Appliance to Standby mode 14 Disable Auto Synchronization 15 Manual Synchronization 16 Synchronize Primary appliance with Secondary appliance 16 Monitor HA health 18

HA Configuration Guide

7

Overview Welcome to Cyberoam’s – HA Configuration Guide. Cyberoam is an Identity-based UTM Appliance. Cyberoam’s solution is purpose-built to meet the security needs of corporates, government organizations, and educational institutions. Cyberoam’s perfect blend of best-of-breed solutions includes user based Firewall, Content filtering, Anti Virus, Anti Spam, Intrusion Detection and Prevention (IDP), and VPN. Cyberoam provides increased LAN security by providing separate port for connecting to the publicly accessible servers like Web server, Mail server, FTP server etc. hosted in DMZ which are visible the external world and still have firewall protection. Hardware failure such as a failure of the power supply, hard disk, or processor is the main reason behind the failure of Internet security system and/or a firewall. To provide reliable and continuous connection to the Internet and also to provide security services such as firewall, VPN, Intrusion detection and prevention, virus scanning, web filtering, and spam filtering services, Cyberoam allows configuring two appliances to function as a single Cyberoam Appliance and provide high availability. Cyberoam uses clustering technology to ensure the high availability. In a cluster, two Cyberoam Appliances are grouped together and instructed to work as a single entity.

HA Configuration Guide

8

Cyberoam HA terminology

1. Primary Appliance

Cyberoam appliance configured in the HA cluster to process network traffic. Under normal operating conditions, it operates in an ACTIVE mode.

2. Secondary Appliance

Cyberoam appliance which does not process the network traffic but is configured in the HA cluster. Under normal operating conditions, it operates in ACTIVE-STANDBY mode. Only the failed SSH connections from Secondary appliance are logged.

3. Cluster IP

Cluster IP address is configured on both the HA appliances, but only the appliance which is ACTIVE owns the address and is used for routing network traffic. All external clients’ use this address to communicate with the ACTIVE appliance.

4. Heartbeat

Communication between the cluster appliances is called Heartbeat. Through heartbeat, cluster appliances constantly communicating HA status information to make sure that the cluster is operating properly. Heartbeat is exchanged every 2 seconds.

5. Dedicated HA Link Port

Cluster appliances use dedicated Ethernet interface to communicate cluster information and to synchronize with each other. This dedicated Ethernet interface is called Dedicated HA Link port. Dedicated HA link port should be from any of the LAN zone interface only.

6. Synchronization

The process of sharing the cluster configuration, routing table and individual cluster appliance status between Cluster appliances (HA peers). Reports generated by Cyberoam are not synchronized.

7. LAN IP Address(s) for Ping Test

To periodically determine the health of the network, you can specify the IP address which is in the same subnet of LAN, to send ICMP echo request packets and wait for replies. If the appliance does not receive reply within the predefined period, then it is considered that there is no connectivity with the LAN and the primary appliance is taken over by the secondary appliance.

8. Device Failover

If appliance does not receive heartbeat within the predetermined period of time from the HA peer, the peer appliance is considered to have failed. This process is termed as Device Failover as when this occurs, the peer appliance is taken over.

HA Configuration Guide

9

9. Appliance states

Active Appliance in Active mode processes the network traffic while peer appliance runs in a Active-Standby mode. The Active appliance owns the Cluster IP address. Peer appliances automatically synchronize with each other every 2 hours if Auto Synchronization is enabled. The peer appliance takes over Active appliance in case of device failure. Active-Standby Appliance in Active-Standby mode does not process network traffic but temporarily takes over peer appliance in case peer appliance fails. Active-Standby appliance takes over the Active appliance, if the heartbeat is not received from the Active appliance within the predetermined period. Standby Appliance in the standby mode is the non-operational appliance in the cluster and the peer appliance becomes ACTIVE to processes network traffic. If the Active appliance fails, standby appliance cannot take over. Not Available Appliance is not available for takeover incase peer appliance fails.

10. HA Mode

HA Mode (Displayed on the Primary appliance) • Not Configured – Appliance is not configured for HA • Active, Secondary as Active Standby • Active, Secondary not Available • Standby

HA Mode (Displayed as on the Secondary appliance) • Not Configured – Appliance is not configured for HA • Active-Standby • Active, Primary on Standby • Active, Primary not Available

HA Configuration Guide

10

How Cluster works Cyberoam offers active-passive high availability (HA) by using cluster IP address shared between a primary appliance and a secondary appliance linked together as a “cluster”. The two appliances - primary and secondary, connect over a dedicated HA interface link. Primary appliance is in ‘Active’ mode and routes the complete network traffic while secondary appliance waits in an Active-Standby mode ready to operate as the primary appliance, in case primary appliance fails. Secondary appliance monitors the primary appliance through HA link. Primary appliance regularly sends the Heartbeat requests through this link, which is answered by secondary appliance. If no heartbeat is received from the primary appliance, the device is considered to have failed. In this case, secondary appliance takes ownership of the virtual IP address from primary appliance, and becomes primary appliance temporarily. Primary appliance automatically takes over from the Secondary appliance once it starts functioning.

Before configuring HA Before attempting to configure two Cyberoam appliances as a HA pair for Hardware Failover, check the following requirements: • Both appliances in the HA pair i.e. primary and secondary appliances must be same hardware

model • Both appliances in the HA pair must have the same version installed. • You must have separate licenses for primary and secondary appliances. On both the

appliances same subscription modules should be enabled else these modules will not be supported in the event of a failure of the Primary appliance. For example, if IDP module is enabled at Primary appliance and not enabled on Secondary appliance then on failover when Secondary appliance becomes Active, IDP policies will not be applicable.

• HA requires three unique LAN IP addresses to operate – a virtual gateway IP address, unique LAN IP address for the Primary appliance, and unique LAN IP address for the Secondary appliance.

• Dedicated HA link port should be from the LAN zone interface only and should have unique IP address on both the appliances.

• The Primary and secondary appliance are currently only capable of performing active-passive HA.

• Session state is not currently synchronized between the Primary and secondary appliances. If a failover occurs, any session that had been active at the time of failover needs to be renegotiated.

• Cyberoam version will be automatically upgraded on Primary appliance if ‘Autoupgrade’ is ON but Secondary appliance has to be upgraded manually after upgrading Primary appliance.

HA Configuration Guide

11

Configure Primary appliance Note 1. Configure Secondary appliance and define LAN and Heartbeat Interface IP address before

physically connecting both the appliances. 2. Create Firewall rule on primary as well as secondary appliance with the following parameters:

• Source: LAN/Any Host • Destination: LOCAL/Dedicated HA link port • Service: HA Service • Action: Accept

3. Create 3 DoS Bypass rule on primary as well as secondary appliance with the following parameters:

DoS Bypass rule Parameters Rule 1 Source IP: IP address defined as Cluster IP

Source Port: * Destination IP: * Destination Port: * Network Protocol: All Protocol

Rule 2 Source IP: IP address defined as Peer IP address Source Port: * Destination IP: * Destination Port: * Network Protocol: All Protocol

Rule 3 Source IP: IP address defined as LAN IP Address(s) for Ping Test Source Port: * Destination IP: * Destination Port: * Network Protocol: ICMP

Steps 1. Connect Heartbeat interface on the Primary and Secondary appliance with a cross cable 2. Specify any of the LAN ports as a Cluster Port 3. Specify Cluster IP. Cluster IP address must be on the same subnet of LAN 4. Specify any of the LAN ports as Dedicated HA link Port. Dedicated HA link port cannot be same

as Cluster port. 5. Specify Peer IP Address i.e. IP Address of Secondary appliance 6. Specify LAN IP address(s) for Ping Test 7. Click Configure HA & Sync with Secondary If everything is cabled and configured properly and HA is enabled successfully: • Current mode in Primary appliance will change to ‘Active, Secondary as Active-Standby’ • Two additional options – Disable HA and Put on Standby are made available • By default, once the HA is enabled successfully, both the appliances will synchronize

automatically, but later on whenever required, they are to be synchronized manually.

HA Configuration Guide

12

Screen - Primary appliance after configuring HA

Screen - Secondary appliance after configuring HA

Miscellaneous Settings Configure mail server and email address where the cluster has to send alert emails for HA status changes. HA status changes occur when a cluster unit switches between operating as a primary and operating as a secondary appliance.

HA Configuration Guide

13

Note Mail server configuration in HA settings will change automatically if mail server setting is changed from the Network Configuration Wizard and vice versa.

Disable HA HA can be disabled from HA configuration page from either of the Appliances. If HA is disabled from primary appliance, run Network Configuration wizard from both the appliances as all the ports except LAN and Cluster Interfaces will be down. If HA is disabled from Secondary appliance, secondary appliance is simply removed from the cluster but primary appliance will still be in ACTIVE mode and process network traffic.

HA Configuration Guide

14

Switch Appliance to Standby mode Either of the appliances can be changed to standby mode. The appliance which is switched to standby mode is the non-operational appliance in the cluster and the peer appliance becomes ACTIVE appliance to process network traffic. If the Active appliance fails, standby appliance cannot take over.

Standby mode can be disabled from any of the appliances. As soon as you disable standby mode, the current mode changes to ‘Active-Standby’.

HA Configuration Guide

15

Disable Auto Synchronization If Auto Synchronization is enabled, Secondary appliance synchronizes settings with the primary appliance every 2 hours. Auto Synchronization can be disabled from the Secondary appliance only. To disable Auto Synchronization, go to HA Settings and click Disable Auto Synchronization.

Note

HA Configuration Guide

16

• By default Auto Synchronization is disabled • Auto Synchronization can be disabled from the Secondary appliance only • If Auto Synchronization is disabled, Secondary appliance will have to be synchronized

manually. • If Auto Synchronization is disabled, Primary appliance can also be synchronized with

secondary appliance.

Manual Synchronization Manual synchronization can be done from Secondary appliance only provided Auto Synchronization is disabled. Manual synchronization gets data updates except the reports from the primary appliance i.e. no reports will be synchronized. HA settings page displays the synchronization details like synchronization attempts, date and time of attempts.

Synchronize Primary appliance with Secondary appliance

In normal conditions, Secondary appliance is synchronized with the Primary appliance. But if need arises Primary appliance can also be forcefully synchronized with the Secondary appliance. Primary appliance can be synchronized with the Secondary appliance only from the Primary appliance. Go to HA Settings and click Get data update from Secondary.

HA Configuration Guide

17

HA Configuration Guide

18

Monitor HA health You can monitor HA health using Diagnostic Tool. HA service

Status Description OK HA services is functioning properly Critical HA services is not functioning

HA communication

Status Description OK Heartbeat is communicated Critical Heartbeat communication has stopped. This may happen if the

peer appliance is down or there is no connectivity between peers

HA Configuration Guide

19