Because the procedure is now based on a wizard in the GUI, I haven't checked to see how well it is documented in the administration guide. But since version 7 it is not very difficult.
The two appliances must be running the same version of code and same number of configured interfaces. The burbs/zones must also be created in the same order on both appliances. You can see the ID number in the burb/zone configuration screen, or you can run the command "region" from the command line.
Run the cluster configuration wizard on the first Firewall to turn it into a 1-node cluster member - part of this involves assigning the cluster IP addresses (the shared addresses for each burb/zone which are used by the active Firewall in the cluster). A "High Availability" section appears in the GUI and you configure the details for the second member. Most of the defaul values will work (I've never really had to change anything) and the only real decision you need to make is whether to operate the cluster in master/slave mode or peer-to-peer mode.
Now go to the second appliance. If it is a brand new box, run the set-up wizard and configure the basic network configuration details. Install outstanding patches and configure the interfaces & burbs/zones so that the second appliance has the same number of interfaces and burb/zones as the primary. Having connected the two heartbeat interfaces togather, run the cluster wizard on the second appliance and enter the same details as you did when configuring the first box. At the end of the wizard, the two Firewalls will communicate over the heartbeat interface, the configuration is transferred and (with luck) you should have a working cluster.
Looking at the v8.2 Adminsitration Guide, chapter 31 (pages 561-580) the configuration process is covered from start to finish.
Hope that helps.
Thank you Phil your information is very ilustrative.
I've a couple of questions.
We are migrating from another firewall vendor to McAfee Sidewinder. In order to have the whole objects, rules and the whole security database from the external firewall vendor translated to McAfee firewall format, we installed MFE on a virtual machine and we were working with input files to be loaded with the cf -f objects.txt, cf -f netgroup.txt ... cf -f rules.txt and so on... in order to have the whole objects, rules, etc... into the McAfee firewall to replicate the whole security policy from the another firewall vendor which is going to be replaced.
Now, I have the whole policy in McAfee format, whit the whole objects, application, services, networks, etc.
My question is:
Can I ?
1.- create a backup file from the virtual machine.
2.- import the backup file in one HA cluster member, lets say the primary HA member.
3.- Finally proceed to create the HA firewall as per your recommendation,
Obviously I must have the same firewall version on the virtual machine and the same version on the MFE HA members.
Do I need to start to work again with the input files to create the objects in the McAfee Data
We are migrating from CheckPoint version 70.20
Please let me know.
In theory your plan should work. I have not yet done this exercise with either a virtual machine or version 8, but you can take a configuration backup from one MFE installation and restore it to another - as long as the destination appliance is running the same version of code as the source machine.
The only remediation work you may need to do is to re-configure the network interfaces. In older versions the interface references (em0, if1, exp2, etc...) would change if you were going from a model 'E' to a model 'F' appliance (as an example) because they may contain interfaces from different vendors and when restoring the backup the network configuration may not match on the two appliances. Not a major issue, but you basically have to re-configured the network interface settings and re-assign them to the correct zone/burb.
In version 8 it looks as though McAfee has started to standardize the network references (1-0, 1-1, 1-2 etc...) so you may well find that if the interfaces on your virtual machine are referred to in this way you should be able to backup and restore without needing to make these changes. What ever way, it isn't a major exercise.
The only other thing which will be different is the licensing details. The restored configuration will contain the serial number assigned to the virtual machine, but the appliance will have its own serial number. So once the configuration has been restored, go to the Licensing screen, re-enter the correct serial number for the appliance and re-activate it. From here you should be able to check that everything is correctly configured and you can then look at creating the cluster.
Hope that helps.
Phil, again, thank you very much... I will share how it works, thanks for your help and support !
Great answers and comments make me feel confy
With the best !
Phil, I got news from you... .do you work for McAfee ? ....
No - I work for a reseller in the UK. But I have worked with the product for a number of years.
Ok. I understand, tomorrow I will post the whole information that I have regarding to this post... it is 4AM in the mornng thanks for your help....
Just to let you know I could not be able to get it worked with a backup in order to have the whole objects, and trying to import, I had an issue with the interfaces. but the HA worked ok...
See you friend, be back to you in a couple of days it is 4 am here .
With the best !