Firewall Failover Using Nokia Firewalls and VRRP

Network Description Two network designs using Nokia and VRRP are presented.  One simply provides firewall failover, while the other provides full HA.
Author Jason Mogavero
Details VRRP needs to be enabled on both of the firewalls, and address space needs to be assigned for the backup IP address. This functionally works the same as HSRP, where each interface has it's own IP address, and there is a third address that is used to represent the cluster as a whole. Keep in mind that this is a primary/secondary setup, rather than a load balancer, so the secondary firewall will not see any use unless the primary fails. This is accomplished using a priority rating on each interface, and a delta for each rating.

In each configuration, the master will have a priority of 100 on each VRRP-enabled interface, with a delta of 25. This means that if there is link failure on any one of the monitored interfaces, the priority will be reduced by the amount of the delta, changing the master priority to 75. The backup firewall has a priority of 90, so on master failure, the priority-90 backup takes over the master state and becomes the functional firewall. This takes place in a span of milliseconds, and is seamless to the user and to the rest of the network. (remember that there is a virtual IP that is addressed as if it were the firewall for each interface) 

Here are some sample VRRP configurations for each firewall (pretend the
10.x.x.x and 172.16.x.x are publicly routable)

Primary Firewall:

    Interface1 (10.1.1.1):
        Mode Monitored Circuit (choose this over VRRPv2)
        Virtual Router 110 (this is arbitrary as long as it's the same for each firewall's interface)
        Priority 100, Delta 25
        Backup Address 10.1.1.3
        Monitor Interface Int2 and Int3 Delta25 (add both of the other interfaces to the monitor list with a delta of 25. What this does is watch the link state on each of the listed interfaces and lower the priority by the delta if connectivity is lost on any of them)
        Authentication simple password (make sure this is the same for each interface on each firewall)

    Interface2 (172.16.1.1):
        Mode Monitored Circuit
        Virtual Router 115
        Priority 100, Delta 25
        Backup Address 172.16.1.3
        Monitor Interface Int1 and Int3 delta 25
        Authentication simple password

    Interface3 (192.168.1.1):
        Mode Monitored Circuit
        Virtual Router 120
        Priority 100, Delta 25
        Backup Address 192.168.1.3
        Monitor Interface Int1 and Int2, Delta 25
        Authentication simple password

Secondary Firewall:

    Interface1 (10.1.1.2):
        Mode Monitored Circuit
        Virtual Router 110
        Priority 90, Delta 25
        Backup Address 10.1.1.3
        Monitor Interface Int2 and Int3, Delta 25
        Authentication simple password

    Interface2 (172.16.1.2):
        Mode Monitored Circuit
        Virtual Router 115
        Backup Address 172.16.1.3
        Priority 90, Delta 25
        Monitor Interface Int1 and Int3, Delta 25
        Authentication simple password

    Interface3 (192.168.1.2):
        Mode Monitored Circuit
        Virtual Router 120
        Backup Address 192.168.1.3
        Priority 90, Delta 25
        Monitor Interface Int1 and Int2, Delta 25
        Authentication simple password


Once these configurations are in place, there are a few things to keep in mind. First, there will need to be a rule in the policy allowing VRRP mulicast network traffic between the firewalls. This is network number 224.0.0.18 with a 32 bit subnet mask. (255.255.255.255) There should already be an object defined for the service by default in the rulebase. Next, for pushing rulebases out to the firewalls, make sure you have a group that contain the real IPs of the firewalls in the cluster and that they both get the policy. Finally, remember that all other network devices should address the VRRP virtual IP, and never a firewall itself, otherwise having failover is a moot point.


Standard HA Firewall:

Two Nokia IP440s are used here, though you could just as easily use any model as long as at least 3 ethernet ports are present. The external interfaces of the firewalls plug into a switch which is connected to the internet router. (not shown in diagram) The internal and DMZ interfaces go to separate VLANs on another switch. The DMZ VLAN is configured to use publicly routable IP addresses, and the office VLAN configured for private network addressing per RFC-1918. You could use private address space in the
DMZ and static NAT at the firewall, but this is no more secure than using public addresses and adds unecessary load to the firewall.

The thing to keep in mind with this design is that's not a very good idea...you're introducing several single points of failure, and it's here more for an example of how NOT to implement high availability. However, being from a managed service environment, I've seen this done countless times, and want to show by example of why this is a bad idea.

vrrp-ha.jpg (84433 bytes)

Fully redundant HA firewall and network:

The firewall configurations will be identical to the Standard HA design, but this network eliminates all single points of failure. There are two ISPs running from two separate backbones coming in, and the internet routers from them connected both to each firewall and to each other, running BGP for dynamic routing. To accomodate for this on the firewalls, you'll need two default gateways with different priorities assigned. The routers are connected so that if the ISP link goes down, BGP will route outbound traffic to the other router and out to the other ISP. The router connected to the ISP that had gone down would still show as up to the firewall, so the weighted default route wouldn't take effect here, as it could still route to the higher priority gateway.

Behind the firewall, there are two switches each segmented into 2 VLANs. The VLANs on each switch will be configured to use the same subnet as the same VLAN on the other switch. The DMZ runs off of VLAN1 and the office LAN from VLAN2. Interface 2 on each firewall will run to the DMZ (VLAN1 on either switch) and Interface 3 goes to the office VLANs. You can cross connect the switches, run a crossover between VLANs, or dual home each server in the DMZ to each VLAN, depending on your environment. The office network, depending on it's size, will probably sit behind a router which can
be dual homed to VLAN2 on both switches. Of course, at this point you're introducing a single point of failure, but it's no longer cost effective to devote this much resource into non-mission-critical systems.

Traffic between VLANs (such as management of the DMZ web servers) will need to be routed through the firewall, so a rule will need to be in place to allow for this as well.

vrrp-ha-super.jpg (109508 bytes)