1 2 Previous Next 14 Replies Latest reply on Oct 27, 2016 1:50 AM by Troja

    MWG 7.3 HA-Solution / Inteface Teaming

    mcafee-com-user

      Hello,

       

      we are currently running MWG6.9 and plan to upgrade to MWG7.3.

       

      We are using a high available system, two MWGs in cluster mode.

       

      Both are connected with 2 NICs to internal network and 2 NICs to external network.

       

      Here we use interface bonding to have a ha solution. Even if one switch wents down the system is still operating.

       

      As far as I know MWG7.3 does not support interface bonding. So how can a ha solution be implemented?

       

      If the extenal link is broken will the MWG stop working and do not accept traffic from internal network anymore?

       

      Best regards.

        • 1. Re: MWG 7.3 HA-Solution / Inteface Teaming
          georgec

          I don't think the mwg can block traffic if the external interface is down.

          You can use only one interface on both of them for incoming and outgoing traffic, set up a cluster, then proxy HA and use the virtual IP. If one of them goes down, the other one takes the virtual ip.

          • 2. Re: MWG 7.3 HA-Solution / Inteface Teaming
            mcafee-com-user

            I think this should not be the solution in the firewall network. We use whenever it is possible explicit NICs for internal and external network. The MWG 5000 box has enough NICs and the feature interface teaming is avaible in MWG6.x so why it is not implemented in MWG7?

             

            Hopefully one of the McAfeee support staff can give an answer or tell how other customers solved this problem.

            • 3. Re: MWG 7.3 HA-Solution / Inteface Teaming
              asabban

              Hello,

               

              it is correct that interface bonding/teaming was available in 6.x but is not (yet) in 7.x. I cannot comment on the reasons since I do not make the plans. Generally bonding does not seem to be a widely used feature, maybe other features had more visibility.

               

              Generally bonding can be configured and can work, but it is not part of the GUI and must be setup on the command line, which is not officially supported I think.

               

              I think I have seen customers who have configured the bonding interface manually, maybe one of them is here and can share some experience.

               

              George is right about the point that the HA module is currently not able to detect if the internet is reachable. The HA will assume any node that has the proxy port listening and accepting requests as alive and will shift traffic to this device. I think the HA intention is to make sure that a client who requests internet access can always reach an MWG. MWG could be configured to speak to various next-hop proxies or to a next-hop which hides behind a virtual IP or a router that can switch the traffic accordingly if the internet becomes unavailable but currently MWG is not able to do so.

               

              Best,

              Andre

              • 4. Re: MWG 7.3 HA-Solution / Inteface Teaming
                mcafee-com-user

                Hi Andre,

                 

                thanks for answering. But I don´t understand how it should help if next-hop is a virtual (redundant) IP. In our installation next network hop is a redundant firewall. When external link of MWG is broken the system cannot reach the redundant firewall anymore...or is there a misunderstanding on my side.

                 

                You can see our installation in attached network graphics.

                 

                on 26.10.12 07:23:09 MESZ
                • 5. Re: MWG 7.3 HA-Solution / Inteface Teaming
                  asabban

                  Ah I think I understood. Is it correct that you would like two have something like 2x2 NICs teamed, so you have bond0 for incoming connections and bond1 for outgoing connections, to keep network connectivity in case a switch dies?

                   

                  In this case I agree, this is currently not possible without dealing with the shell on MWG7. I am not sure how other customers implemented this, since I do not see many customer installations. What could be possible is a smart load balancer in front of the MWGs which can check on application level whether the proxy is alive and in case of any hardware outage switch to a different MWG connected to a different network segment.

                   

                  In the second picture you provided this would mean that the internal firewall notice that they cannot talk to the internet, and route all traffic through the other switch/network.

                   

                  But that is a.) just a theory about how it could look and b.) not what you want. I also think that many customers rely on NICs/cables/switches not failing, since I have seen a couple of support cases during my time in support where customers reported MWG misbehaving and it finally turned out to be broken network equipment. NICs actually do not fail very often, but switches do.

                   

                  I don´t think I have an idea that would solve your requirement without having bonding/teaming in the product or spending money on additional equipment. I would recommend to talk to your Sales representative to have a statement from product management about  1.) why it is not present (just for information, it actually won´t change that it´s not present) and 2.) when it will be available.

                   

                  In case you have a test environment and would like to setup bonding manually please let me know. Maybe you can get a statement that a manually setup of bonding interfaces is supported, in this case we just lack the GUI part, which is something you could probably live with in the meantime. Unfortunately I can´t give you this statement :-(

                   

                  Best,

                  Andre

                  • 6. Re: MWG 7.3 HA-Solution / Inteface Teaming
                    mcafee-com-user

                    Hi Andre,

                     

                    the first picture shows our solution now with MWG6.9, here we use 2x2 NICs teamed as bond0 and bond1. This is working fine.

                     

                    The second picture shows the solution with MWG7.3 without interface teaming and the SPOF when external link is broken.

                     

                    So there seems do be no option that could satisfy us as far as I can see:

                     

                    1) Use only one nic for internal and external traffic is undesired

                    2) Putiing a pair of load balancers in front of the MWGs is unneeded overhead

                    3) Living with the risk one switch dies is not acceptable

                    4) Configure bonding on the shell which may not be supported by McAfee

                    5) Buying a Webgateway of another vendor is not possible, coz we have a contract till mid 2015 and cannot spend money again for a system we already paid for

                    6) We could stay using MWG6.9 till mid 2015 and McAfee has to extend support for this old version => This is our preferred solution, so we do not have to migrate and can ues a stable system till we buy a new one which has feature interface bonding.

                     

                    Another idea could be to monitor external interface and if its going down shut down internal interface or just stop MWG process. This should be possible to realize when having some extended experience in linux OS.

                     

                    Maybe some other users of MWG7.x can tell how they solved this problem?

                     

                    on 26.10.12 09:48:20 MESZ
                    • 7. Re: MWG 7.3 HA-Solution / Inteface Teaming
                      asabban

                      Hello,

                       

                      I definitely understand your points, therefore I recomment to escalate the issues you have to your sales contact. This is the best chance to raise awareness of your problems, which means that it is possible to officially discuss the best option for you, explain what other customers do and when - if possible - adjustments to the product can be made to suit your requirements.

                       

                      A script which checks and shuts down the MWG process (or more simple, adds an iptables rule that closes the port) should not be a big problem. If this is helpful I can send you some example lines which you can use to start.

                       

                      Best,

                      Andre

                      • 8. Re: MWG 7.3 HA-Solution / Interface Teaming
                        mcafee-com-user

                        Hi Andre,

                         

                        yes, please send me an example script for interface monitoring. This would be very helpful.

                         

                        I will also send a link to this discussion to the company which implemented the solution on our side and which will have to do the upgrade to MWG7.x. too.

                        So they can talk to McAfee sales and put a feature request.

                         

                        My intention of this discussion was to see how other users deal with the situation bonding is not available in MWG7.x, which is in my opinion a step backward comparing version 6.x.

                         

                        We use some hundred servers in our environment (HP hardware with MS Windows OS) and since about 15 years every system uses interface teaming....so wondering why a new developed system like MWG7.x does not have this feature implemented.

                         

                        Best regards and thanks for your answers!

                         

                        on 26.10.12 10:17:06 MESZ
                        • 9. Re: MWG 7.3 HA-Solution / Interface Teaming
                          asabban

                          Hello,

                           

                          can you send me your eMail address in a PM? I will send you some lines of script by eMail which you can adopt.

                           

                          I hope some other customers can post their setup/experience. I have seen some customers requiring teaming, but actually not many customers seem to do it. I personally would probably use it as well and I can well understand that it is "common practice" in your company. I guess there were reasons why teaming fell off the list of features to have, but I don´t know.

                           

                          I am sure we will find a solution from the Sales perspective. Until we got a solution we could work with a script as a temporary workaround.

                           

                          Best,

                          Andre

                          1 2 Previous Next