Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
1050 Views 10 Replies Latest reply: Aug 21, 2013 10:37 AM by alex_vani RSS 1 2 Previous Next
alex_vani Newcomer 31 posts since
Mar 24, 2013
Currently Being Moderated

Jul 25, 2013 10:58 AM

Firewall Failover question

Hi,

 

This is the scenario.

 

MFE 8.3

 

HA+LS

 

FW01. Traffic flowing +  VPN

FW02. Traffic flowing

 

I would like to move the VPNs to FW02, so is there any way to change this role from command line?

 

Thank you !

  • mtuma McAfee SME 313 posts since
    Nov 3, 2009
    Currently Being Moderated
    1. Jul 25, 2013 11:00 AM (in response to alex_vani)
    Re: Firewall Failover question

    Hello,

     

    The only way to accomplish this is to reboot FW01, which will make FW02 the primary.

     

    Is there a specific reason that you are looking to do this?

     

    -Matt

  • squidikus Newcomer 35 posts since
    Jul 12, 2013
    Currently Being Moderated
    2. Jul 26, 2013 12:07 PM (in response to mtuma)
    Re: Firewall Failover question

    Actually this is a question for Mtuma and not a suggestion for Alex.

    Is there any cf command that could force the failover?

     

    I have in the past disabled an interface that was non important and forced a failover or in my test firewalls  also have pulled the cable to the interface. I was advised by mcafee not to do this for the heartbeat interfaces for obvious reasons.

  • sliedl McAfee SME 536 posts since
    Nov 3, 2009
    Currently Being Moderated
    3. Jul 26, 2013 12:12 PM (in response to squidikus)
    Re: Firewall Failover question

    Run 'cf failover stop' on the primary.  You'll need to reboot it to get it to join back into the pair.

  • sliedl McAfee SME 536 posts since
    Nov 3, 2009
    Currently Being Moderated
    4. Jul 26, 2013 12:16 PM (in response to squidikus)
    Re: Firewall Failover question

    I guess 'cf fail stop' is no longer there at v8.  You need to shutdown or reboot the primary to get it to fail over.  You would have to reboot it anyway if you ran 'cf fail stop' at v7.

  • squidikus Newcomer 35 posts since
    Jul 12, 2013
    Currently Being Moderated
    5. Jul 26, 2013 12:22 PM (in response to sliedl)
    Re: Firewall Failover question

    Alex is using a HA+LS cluster however. it would failover with the disconnection of an interface that is beeing monitored and failback using the same method right?

     

    I am not usually one for the rebooting of a firewall that for all purposes is technically operational and can failover and back easily. In my test firewalls it takes about 4 seconds to failover and 10 -15 seconds for the policies to sync. This can be viewed with cf cluster status and keep running the command a few times and you can see the policy sync.

  • mtuma McAfee SME 313 posts since
    Nov 3, 2009
    Currently Being Moderated
    6. Jul 26, 2013 12:23 PM (in response to squidikus)
    Re: Firewall Failover question

    You are correct.

     

    Technically if an interface fails or is disabled then a failover should occur as that firewall is not in a good state. Then re-enabling the interface should put the firewall back into a good state and it should re-join the cluster, this time as the secondary in HALS.

     

    -Matt

  • squidikus Newcomer 35 posts since
    Jul 12, 2013
    Currently Being Moderated
    7. Jul 26, 2013 12:24 PM (in response to squidikus)
    Re: Firewall Failover question

    As described to me is that this was the beauty of the LSHA cluster. And it worked and a smile was on my face and the sun shined a bit brighter that day.

  • sliedl McAfee SME 536 posts since
    Nov 3, 2009
    Currently Being Moderated
    8. Jul 26, 2013 12:25 PM (in response to squidikus)
    Re: Firewall Failover question

    You can use 'cf cluster softshutdown' in an LSHA cluster to get that member to stop accepting new connections and finish with the ones it is working on now.  That is a good way to get one firewall to take over.  You must then reboot the member that softshutdown was run on to get it back into the pair.

  • squidikus Newcomer 35 posts since
    Jul 12, 2013
    Currently Being Moderated
    9. Jul 26, 2013 12:26 PM (in response to mtuma)
    Re: Firewall Failover question

    Thanks for that confirmation. I see that the methods posted before are the mcafee supported methods however.

1 2 Previous Next

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points