Replacing vRouter) and Managed Firewall with vSRX (HA ... Firewall...Firewall (vSRX). *There is no change in the setting of the Internet-GW, load balancer, or web server (Routing changes,

Copyright © NTT Communications Corporation. All right reserved.Copyright © NTT Communications Corporation. All right reserved.

First Edition

Replacing Firewall (Brocade 5600 vRouter) and Managed Firewall with vSRX(HA Configuration)

Copyright © NTT Communications Corporation. All right reserved. 2

Update History

Updated Update edition number

2018/11/5 first edition 1



Prerequisites



Prerequisites


* It is a method replacing Managed Firewall (M-FW) and Firewall (Brocade 5600 vRouter) (vFW) with Firewall (vSRX).*There is no change in the setting of the Internet-GW, load balancer, or web server (Routing changes, etc.).

*Load balancer is two-arm model. For one-arm configuration, please replace the terms in accordance with your environment.

*Connect M-FW and vFW networks to the vSRX.=>When switching from M-FW or vFW to vSRX, communication will be interrupted.

*Please refer to the link below for basic vSRX configuration.https://ecl.ntt.com/en/documents/tutorials/rsts/vSRX/basic/basic.html

*Configure vSRX routing settings according to your configuration.

*When creating a vSRX, the interface (Ge-0/0/0.0) is configured in the Trust zone.=>After creation, please change each interface according to your environment.

*Both vFW and vSRX use stateful inspection.=>If you use a stateless firewall, please replace it according to your environment.

Thank you.

*Perform the migration after a pre-test.


Configuration and Migration Flow



Pre-migration Configuration (M-FW, vFW configuration)

172.16/10.0 24 (Server Segment)

LB-01 (M)

Web-server-011.

1/1.6

LB-02 (B)1/1.7

1/2 6 1/2 7

VRID 30VIP. 251

153. xxx.xxx.xxx/32

Internet-GW (act)

InterNet

180. xxx.xxx.xxx/32

Client

Internet-GW (stb)

VRID 1VIP. 250

249 248

192.168/30.0 24 (external segment)

vFW-01(Master)

dp0s 7.11

dp0s 4.11

vFW-02(Back up)

dp0s 4.12

dp0s 7.12VRID 40VIP. 254

Port 4.101 Port 4.102

Port 5.101 Port 5.102

M-FW-01(First unit)

M-FW-02(Second unit)

VRID 30VIP. 251

VRID 20VIP. 254

VRID 10VIP. 254

192.168/20.0 24 (FW Segment)

*M-FW rules reject all communications from external segmentsand allows HTTP/HTTPS communication only from a specific source

*Set up a virtual server inside LB.

http-vserver172.16. 100.1

https - vserver172.16. 100.2

192.168/10.0 24 (LB Segment)


Migration Configuration 1

Step 1 vSRX SubscriptionStep 2 vSRX Configuration

1. firewall settings2. DNAT Configuration


LB-01 (M)

Web-server-011.

1/1.6

LB-02 (B)1/1.7

1/2 6 1/2 7

VRID 50VIP. 251

153. xxx.xxx.xxx/32

Internet-GW (act)

InterNet

180. xxx.xxx.xxx/32

Client

Internet-GW (stb)

VRID 1VIP. 250

249 248


Port 4.101 Port 4.102

Port 5.101 Port 5.102

M-FW-01(First unit)


VRID 20VIP. 254

VRID 10VIP. 254

192.168/20.0 24 (FW Segment)



vSRX-01 vSRX-02

vFW-01(Master)

dp0s 7.11

vFW-02(Back up)

dp0s 7.12

dp0s 4.11 dp0s 4.12VRID 30VIP. 251

VRID 40VIP. 254192.168/10.0 24 (LB Segment)




LB-01 (M)

Web-server-011.

1/1.6

LB-02 (B)1/1.7

1/2 6 1/2 7

VRID 50VIP. 251

153. xxx.xxx.xxx/32

Internet-GW (act)

InterNet

180. xxx.xxx.xxx/32

Client

Internet-GW (stb)

VRID 1VIP. 250

249 248


Port 5.101 Port 5.102

M-FW-01(First unit)


VRID 30VIP. 251

VRID 20VIP. 254192.168/20.0 24 (FW Segment)



vSRX-01 vSRX-02

Step 3M-FW Configuration1. Disconnect IF(communication interruption)

Step 4 vFW Settings1. IF Disconnect

vFW-01(Master)

vFW-02(Back up)

dp0s 4.11 dp0s 4.12

192.168/10.0 24 (LB Segment)

Disconnection time: approximately 40 minutes (measured value)




LB-01 (M)

Web-server-011.

1/1.6

LB-02 (B)1/1.7

1/2 6 1/2 7

VRID 50VIP. 251

153. xxx.xxx.xxx/32

Internet-GW (act)

InterNet

180. xxx.xxx.xxx/32

Client

Internet-GW (stb)

VRID 1VIP. 250

249 248


Port 5.101 Port 5.102

M-FW-01(First unit)


VRID 30VIP. 251




vSRX-01(Master)

vSRX-02(Back up)

vFW-01(Master)

vFW-02(Back up)

dp0s 4.11 dp0s 4.12

192.168/10.0 24 (LB Segment)

Step 5 vSRX Configuration1. IF Connection2. VRRP configuration (communication interruption

recovery)

Ge-0/0/2.11 trust zone

untrust zone

Ge-0/0/1.101 Ge-0/0/1.102

Ge-0/0/2.12

VRID 10VIP. 254

VRID 40VIP. 254

Disconnection time: approximately 40 minutes (measured value)


Migration Complete Configuration


LB-01 (M)

Web-server-011.

1/1.6

LB-02 (B)1/1.7

1/2 6 1/2 7

VRID 50VIP. 251

153. xxx.xxx.xxx/32

Internet-GW (act)

InterNet

180. xxx.xxx.xxx/32

Client

Internet-GW (stb)

VRID 1VIP. 250

249 248




vSRX-01(Master)

vSRX-02(Back up)

192.168/10.0 24 (LB Segment)

Ge-0/0/2.11 trust zone

untrust zone

Ge-0/0/1.101 Ge-0/0/1.102

Ge-0/0/2.12

VRID 10VIP. 254

VRID 40VIP. 254

Port 5.101 Port 5.102

M-FW-01(First unit)


VRID 30VIP. 251


vFW-01(Master)

vFW-02(Back up)

dp0s 4.11 dp0s 4.12


Step 1 vSRX Subscription


Copyright © NTT Communications Corporation. All right reserved. 12Copyright © NTT Communications Corporation. All right reserved. 12

Please refer to the link below to apply for vSRX.https://ecl.ntt.com/en/documents/tutorials/rsts/vSRX/instance/create.html

After logging in to the control panel screen, click Cloud Computing.Click "NETWORK", "firewall", and "vSRX"



Click the Create Firewall button and enter the required settings for "Details" and "interface".Enter the management IP address in the interface setting.After entering the settings, click "Create Firewall".




Copyright © NTT Communications Corporation. All right reserved.14

Please apply for vSRX-02 using the same procedure.


Step 2 -1 vSRX Configuration(firewall settings)





See below for firewall filter settings.https://ecl.ntt.com/en/documents/tutorials/rsts/vSRX/fwfunction/zonebase/vsrx_zonebase.html

Create an area in the firewall that is logically called the "zones" and make the interface belong to a zone.The policy required for incoming packets is set on a per-zone basis, allowing the same policy to be applied to interfaces belonging to the zone.

To set up a zone-based firewall, you need "Address Group Settings" and "Application Set Settings"




Please set up the address group referring to the following URL.https://ecl.ntt.com/en/documents/tutorials/rsts/vSRX/fwfunction/zonebase/vsrx_address-set.html

When you configure packet filtering, you can set rules based on IP addresses, and you can assign simple names to IP addresses to set packet filtering conditions.If you want to group multiple IP addresses, create an address book for each IP address and create an address set containing multiple address books.

For reference, the vSRX-01 configuration values are:

user @ vSRX-01 # set security address-book global address CLIENT _ 01 180. xxx.xxx.xxx/32user @ vSRX-01 # set security address-book global address-set CLIENT _ GROUP address CLIENT _ 01user @ vSRX-01 # commit




Please set the application set referring to the following URL.https://ecl.ntt.com/en/documents/tutorials/rsts/vSRX/fwfunction/zonebase/vsrx_application-set.html

You can define applications that are pre-registered with the vSRX, or you can name them arbitrarily, to make them a condition for packet filtering.

For reference, the vSRX-01 configuration values are:

user @ vSRX-01 # set applications HTTP _ DEF protocol tcp destination-port 80user @ vSRX-01 # set applications application HTTPS _ DEF protocol tcp destination-port 443user @ vSRX-01 # set applications application-set HTTP _ HTTPS _ DEF application HTTP _ DEFuser @ vSRX-01 # set applications application-set HTTP _ HTTPS _ DEF application HTTPS _ DEFuser @ vSRX-01 # commit

Copyright © NTT Communications Corporation. All right reserved. 19Copyright © NTT Communications Corporation. All right reserved.

Allow communications that originate from the created address set and application set (packet), and block other communications (packet) with a zone-based firewall.

All communication from external segment is rejected, and only HTTP/HTTPS communication from specific source (180. xxx.xxx.xxx/32) is permitted as follows.

user @ vSRX-01 # set security policies from-zone untrust to -zone trust policy PERMIT _ GROUP match source-address CLIENT _ GROUPuser @ vSRX-01 # set security policies from-zone untrust to -zone trust policy PERMIT _ GROUP match destination-address anyuser @ vSRX-01 # set security policies from -zone untrust to -zone trust policy PERMIT _ GROUP match application HTTP _ HTTPS _ DEFuser @ vSRX-01 # set security policies from-zone untrust to -zone trust policy PERMIT _ GROUP then permituser @ vSRX-01 # commit





Follow the same steps to configure the vSRX-02 firewall.


Step 2 -2 vSRX Configuration(DNAT Configuration)





See below for Destination NAT configuration.https://ecl.ntt.com/en/documents/tutorials/rsts/vSRX/network/nat/nat.htmlAfter logging in to the CLI,Switch to shell command mode > operation mode > configuration mode.

Converts HTTP/HTTPS communications destined for 153. xxx.xxx.xxx/32 to the load balancer Virtual Server.

For reference, the vSRX-01 configuration values are listed on the next page.




The IP address translation settings for accessing the Virtual Server of the load balancer are as follows:

user @ vSRX-01 # set security nat destination pool POOL1 address 172.16.100.10/24 port 80user @ vSRX-01 # set security nat destination pool POOL2 address 172.16.100.20/24 port 443user @ vSRX-01 # set security nat destination rule -set RULE1 from zone untrustuser @ vSRX-01 # set security nat destination rule-set RULE1 rule RULE1 -1 match destination-address 153. xxx.xxx.xxx/32user @ vSRX-01 # set security nat destination rule-set RULE1 rule RULE1 -1 match destination-port 80user @ vSRX-01 # set security nat destination rule-set RULE1 rule RULE1 -1 then destination-nat pool POOL1user @ vSRX-01 # set security nat destination rule-set RULE1 rule RULE1 -2 match destination-address 153. xxx.xxx.xxx/32user @ vSRX-01 # set security nat destination rule-set RULE1 rule RULE1 -2 match destination-port 443user @ vSRX-01 # set security nat destination rule-set RULE1 rule RULE1 -2 then destination-nat pool POOL2user @ vSRX-01 # commit


Follow the same steps to configure the vSRX-02 firewall.



Step 3 M-FW Configuration Change(Disconnect Interface)


Step 3M-FW Configuration(Disconnect Interface)


The M-FW interface can be set.https://ecl.ntt.com/en/documents/tutorials/security/rsts/security/operation/managed_firewall_utm/3110_interface_single.htmlAfter logging in to the control panel screen,Click Security, then click Operation in Managed Firewall.


Click [Cluster Port Management]





Click to select the desired HA pair and click [Manage Interfaces].Clicking on any port number opens the same screen.




The [Manage Interfaces] screen appears. Ports 2 and 3 do not appear on the [Manage Interfaces] screen. Click to select the port you want to configure, and then click [Edit].




Please uncheck [Enable Port].Click [Save] Saving on this screen does not apply to the device.




Click [Run Now] on the Manage Interfaces screen.Communication is lost.




If you click in the area where [Status] or [MESSAGE] is displayed, the history will be displayed, showing the start time and progress of the [Manage Interfaces] process.




If all statuses are "green", it will be successful.


Step 4 Change vFW Settings(Disconnect Interface)





Please disconnect the logical network of the firewall.After logging in to the control panel screen, click "NETWORK" and "Brocade 5600 vRouter" to select the target firewall.




From that interface, click "Removing Communication Settings for VRRP"

Click "Removing Communication Settings for VRRP"




From that interface, click "Disconnect Logical Network"

Click "Disconnect Logical Network"




Use the same procedure to disconnect the LB segment interface with vFW-02.


Step 5 -1 vSRX Configuration(interface connection)



To configure an IP address and enable communication for an interface that is configured on the vSRX,You must configure the interface and IP address on the ECL 2.0 customer portal.

The vSRX interface is not initially configured to belong to a zone, except for ge-0/0/0.To communicate, you must belong to one of the zones of the zone-based firewall.

To allow incoming communication to the IP address of an interface, you need to configure the host to allow that communication under host-inbound-traffic.




Please refer to the link below to configure the vSRX interface on the ECL 2.0 customer portal.https://ecl.ntt.com/en/documents/tutorials/rsts/vSRX/instance/update.htmlAfter logging in to the control panel screen, click Cloud Computing.Click "NETWORK", "firewall", or "vSRX"


Click "Edit Firewall Interface" on the target vSRX.



Open the interface tab you want to edit, check "Edit this interface" and specify the logical network and static IP address you want to connect to.After entering the set value, click "Edit Firewall Interface".

Please make sure to check "Edit this interface". If unchecked, edits are not reflected.

For your information, the following are the vSRX-01 configuration values:



Refer to the link below to configure the vSRX interface using the CLI.https://ecl.ntt.com/en/documents/tutorials/rsts/vSRX/basic/basic.html#vsrx-cli-sshAfter logging in to the CLI,Switch to shell command mode > operation mode > configuration mode.

For your information, the commands you enter in the CLI are:*In this verification, ping is permitted in the host-inbound-traffic configuration.

If you have additional services or protocols that you want to allow, please refer to the link below for additional information.

Please set it accordingly.https://ecl.ntt.com/documents/tutorials/rsts/vSRX/fwfunction/zonebase/vsrx_zoneconfig.html

user @ vSRX-01 # set interfaces ge-0/ 0/1 unit 0 family inet address 192.168.30.101/24user @ vSRX-01 # set security zones security-zone untrust interfaces ge-0/0/1.0 host-invound-traffic system-services pinguser @ vSRX-01 # set interfaces ge-0/ 0/2 unit 0 family inet address 192.168.10.11/24user @ vSRX-01 # set security zones security-zone trust interfaces ge-0/0/2.0 host-invound-traffic system-services pinguser @ vSRX-01 # commit



Follow the same steps to configure the vSRX-02 interface.



Step 5 -2 vSRX Configuration(VRRP configuration)




Refer to the link below to configure VRRP for the vSRX on the ECL 2.0 customer portal.https://ecl.ntt.com/en/documents/tutorials/rsts/vSRX/network/vrrp.html

After logging in to the control panel screen, click Cloud Computing.Click "NETWORK", "firewall", or "vSRX"



Click "Editing Allowed Address Pairs" on the target vSRX.



Open the interface tab you want to edit and click "Add address pairs".Configure the address pair using the interface between the external segment and the FW segment.After entering the set value, click "Updating Allowed Address Pairs".

For your information, the following are the vSRX-01 configuration values:

Copyright © NTT Communications Corporation. All right reserved. 50Copyright © NTT Communications Corporation. All right reserved.

Refer to the link below for the VRRP configuration of the vSRX using the CLI.https://ecl.ntt.com/en/documents/tutorials/rsts/vSRX/network/vrrp.html#vrrp-vrrp

After logging in to the CLI,Switch to shell command mode > operation mode > configuration mode.

After configuring VRRP for all interfaces, enter commit.For reference, the vSRX-01 configuration values are listed below.


user @ vSRX-01 # set interfaces ge-0/0/1 unit 0 family inet address 192.168.30.101/24 vrrp-group 10 virtual-address 192.168.30.254user @ vSRX-01 # set interfaces ge-0/0/1 unit 0 family inet address 192.168.30.101/24 vrrp-group 10 priority 120user @ vSRX-01 # set interfaces ge-0/ 0/1 unit 0 family inet address 192.168.30.101/24 vrrp-group 10 preemptuser @ vSRX-01 # set interfaces ge-0/0/1 unit 0 family inet address 192.168.30.101/24 vrrp-group 10 accept-datauser @ vSRX-01 # set interfaces ge-0/0/1 unit 0 family inet address 192.168.30.101/24 vrrp-group 10 advertise-interval [Any value]user @ vSRX-01 # set interfaces ge-0/0/2 unit 0 family inet address 192.168.10.11/24 vrrp-group 40 virtual-address 192.168.10.254user @ vSRX-01 # set interfaces ge-0/0/2 unit 0 family inet address 192.168.10.11/24 vrrp-group 40 priority 120user @ vSRX-01 # set interfaces ge-0/0/2 unit 0 family inet address 192.168.10.11/24 vrrp-group 40 preemptuser @ vSRX-01 # set interfaces ge-0/0/2 unit 0 family inet address 192.168.10.11/24 vrrp-group 40 accept-datauser @ vSRX-01 # set interfaces ge-0/0/2 unit 0 family inet address 192.168.10.11/24 vrrp-group 40 advertise-interval [Any value]user @ vSRX-01 # commit




To take advantage of the VRRP feature, VRRP packets must be permitted on the zone or interface on which you have configured VRRP in a zone-based firewall configuration.

After logging in to the CLI,Switch to shell command mode > operation mode > configuration mode.Configure zone settings for all interfaces that are configured for VRRP.

For reference, the vSRX-01 configuration values are listed below.

user @ vSRX-01 # set security zones security-zone untrust interfaces ge-0/ 0/1 host-invound-traffic protocols vrpuser @ vSRX-01 # set security zones security-zone trust interfaces ge-0/ 0/2 host-invound-traffic protocols vrpuser @ vSRX-01 # commit

Once the VRRP configuration is complete, communication is restored.

You can verify the VRRP state of vSRX-01 with the following command:

user @ vSRX-01 > show vrrpInterface State Group VR State VR Mode Timer Type AddressGe-0/0/1.0 up 10 master Active A 1.151 lcl 192.168. 30.101

vip 192.168. 30.254Ge-0/0/2.0 up 40 master Active A 1.183 lcl 192.168. 10.11

vip 192.168. 10.254


Use the same procedure to configure VRRP on the vSRX-02.


Documents

Replacing vRouter) and Managed Firewall with vSRX (HA ... Firewall...Firewall (vSRX). *There is no change in the setting of the Internet-GW, load balancer, or web server (Routing changes,