cancel
Showing results for 
Search instead for 
Did you mean: 

Firewall Failover question

Jump to solution

Hi,

This is the scenario.

MFE 8.3

HA+LS

FW01. Traffic flowing +  VPN

FW02. Traffic flowing

I would like to move the VPNs to FW02, so is there any way to change this role from command line?

Thank you !

1 Solution

Accepted Solutions
sliedl
Level 14
Report Inappropriate Content
Message 4 of 11

Re: Firewall Failover question

Jump to solution

Run 'cf failover stop' on the primary.  You'll need to reboot it to get it to join back into the pair.

10 Replies
mtuma
Level 13
Report Inappropriate Content
Message 2 of 11

Re: Firewall Failover question

Jump to solution

Hello,

The only way to accomplish this is to reboot FW01, which will make FW02 the primary.

Is there a specific reason that you are looking to do this?

-Matt

Re: Firewall Failover question

Jump to solution

Actually this is a question for Mtuma and not a suggestion for Alex.

Is there any cf command that could force the failover?

I have in the past disabled an interface that was non important and forced a failover or in my test firewalls  also have pulled the cable to the interface. I was advised by mcafee not to do this for the heartbeat interfaces for obvious reasons.

sliedl
Level 14
Report Inappropriate Content
Message 4 of 11

Re: Firewall Failover question

Jump to solution

Run 'cf failover stop' on the primary.  You'll need to reboot it to get it to join back into the pair.

Re: Firewall Failover question

Jump to solution

Alex is using a HA+LS cluster however. it would failover with the disconnection of an interface that is beeing monitored and failback using the same method right?

I am not usually one for the rebooting of a firewall that for all purposes is technically operational and can failover and back easily. In my test firewalls it takes about 4 seconds to failover and 10 -15 seconds for the policies to sync. This can be viewed with cf cluster status and keep running the command a few times and you can see the policy sync.

mtuma
Level 13
Report Inappropriate Content
Message 6 of 11

Re: Firewall Failover question

Jump to solution

You are correct.

Technically if an interface fails or is disabled then a failover should occur as that firewall is not in a good state. Then re-enabling the interface should put the firewall back into a good state and it should re-join the cluster, this time as the secondary in HALS.

-Matt

Re: Firewall Failover question

Jump to solution

Thanks for that confirmation. I see that the methods posted before are the mcafee supported methods however.

Re: Firewall Failover question

Jump to solution

As described to me is that this was the beauty of the LSHA cluster. And it worked and a smile was on my face and the sun shined a bit brighter that day.

Highlighted
sliedl
Level 14
Report Inappropriate Content
Message 9 of 11

Re: Firewall Failover question

Jump to solution

You can use 'cf cluster softshutdown' in an LSHA cluster to get that member to stop accepting new connections and finish with the ones it is working on now.  That is a good way to get one firewall to take over.  You must then reboot the member that softshutdown was run on to get it back into the pair.

sliedl
Level 14
Report Inappropriate Content
Message 10 of 11

Re: Firewall Failover question

Jump to solution

I guess 'cf fail stop' is no longer there at v8.  You need to shutdown or reboot the primary to get it to fail over.  You would have to reboot it anyway if you ran 'cf fail stop' at v7.

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community