SRX

Good Day, require some clarity.  According to Juniper online information active/active with UTM do not support EWF. So what does this exactly mean. Currently i have a SRX5800 cluster running in active/passive mode with UTM enabled. Both devices are licensed ofcourse. So theoretically when i fail the entire cluster from the primary to the secondary, the cluster is still active/passive but just the other way around, so UTM should still funtion right?(retorical). Keep in mind that the traffic will always pass through the same dataplane depending where the RG group is active, there is no possibility for Z type traffic, both LAN and WAN interfaces is in the same group always. So if we have to reset the scenario back to node0 active/ node1 passive, UTM will work. Now if i create new interfaces and new zones and new policies etc, but these interface will now be active on the secondary FW's dataplane and stay local to that firewall, it become an active/active setup, however the original traffic is still local to node 0, will UTM now cease to stop workink accross the entire box, even if the UTM policy is only configured for the traffic local to node0 as they where always?

Hi MFB,

 

As per the Juniper documentation(https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-configuring-utm-for-chassis-cluster.html#id-understanding-utm-support-for-activebackup-chassis-cluster), the UTM is not supported for active/active chassis cluster configuration.

 

This means the Ingress and Egress interface should be active on only one Node. Also, it seems like even though RG0 is active on Node 0 and RG1 is active on Node 1, the UTM is unsupported.

 

[Answer Edited]

 

I had a chance to look into some Internal documents and the below has been tested in the lab as well.

 

• In order to make the UTM work, both the interfaces have to be active on only one Node.
• You can have multiple data plane groups(RG1+). But even if you have an additional RG1+ group without any interface associated with it and if failover is initiated to the other Node, it is not supported.
• So, it is suggested to have only two redundancy groups RG0 and RG1 active only on either Node 0 or Node 1 while using UTM.

Please feel free to reach out to me if you require more explanation

 

Thanks for the feedback, but this is what it basically will look like. LAN and WAN will be in RG1 and the other side's LAN and WAN will be in RG2. traffic will always be local to that dataplane, in and out. I only need UTM to work on the one side.

MFB,

 

I'm afraid that UTM is unsupported in your setup. As per the document, it states that Active/Active is not supported and its also the case where there are more than one data-plane redundancy-groups, i.e. redundancy-groups 1 and higher.

 

Are you facing the issue or you're yet to implement the UTM feature?

Hi, Well currently it running as active/passvie with UTM, but now there is a requirement to have some traffic localized on the secondary firewall, but no need for UTM just conventional security policies on that traffic. I find it really stupid that in this configuration scenario it will cease to work, only because i am adding an additonal group that will handle completely difrent traffic on the other node. So if i had this deployment that is currently working, as soon as i move the RG2 to the other side UTM stops working overall at the moment i move it and then stops working from there on, even if it is applied on defent traffic. Once i move RG2 back then it start working again for completely other traffic. You said you will be able to test this, but it would take you some time, let know the outcome, i would like to see how this actaully really will behave. This seems to be only a problem on the high end devices.

Hi MFB,

 

Well, its been 2 weeks; however, I had the chance to test the UTM behavior in Active/Active scenario.

 

 

root@SRX-1# run show chassis cluster status
Sep 01 20:14:19
Monitor Failure codes:
    CS  Cold Sync monitoring        FL  Fabric Connection monitoring
    GR  GRES monitoring             HW  Hardware monitoring
    IF  Interface monitoring        IP  IP monitoring
    LB  Loopback monitoring         MB  Mbuf monitoring
    NH  Nexthop monitoring          NP  NPC monitoring
    SP  SPU monitoring              SM  Schedule monitoring
    CF  Config Sync monitoring      RE  Relinquish monitoring

Cluster ID: 10
Node   Priority Status         Preempt Manual   Monitor-failures

Redundancy group: 0 , Failover count: 1
node0  200      primary        no      no       None
node1  1        secondary      no      no       None

Redundancy group: 1 , Failover count: 1
node0  100      primary        no      no       None
node1  100      secondary      no      no       None

Redundancy group: 2 , Failover count: 1
node0  200      primary        no      no       None
node1  100      secondary      no      no       None

{primary:node0}[edit]
root@SRX-1# run show security utm web-filtering status
Sep 01 20:14:34
node0:
--------------------------------------------------------------------------
 UTM web-filtering status:
    Server status: Juniper Enhanced using Websense server UP

node1:
--------------------------------------------------------------------------
 UTM web-filtering status:
    Server status: Juniper Enhanced using Websense server DOWN

root@SRX-1# run request chassis cluster failover redundancy-group 2 node 1
Sep 01 20:15:20
node1:
--------------------------------------------------------------------------
Initiated manual failover for redundancy group 2

{primary:node0}[edit]
root@SRX-1# run show chassis cluster status
Sep 01 20:15:23
Monitor Failure codes:
    CS  Cold Sync monitoring        FL  Fabric Connection monitoring
    GR  GRES monitoring             HW  Hardware monitoring
    IF  Interface monitoring        IP  IP monitoring
    LB  Loopback monitoring         MB  Mbuf monitoring
    NH  Nexthop monitoring          NP  NPC monitoring
    SP  SPU monitoring              SM  Schedule monitoring
    CF  Config Sync monitoring      RE  Relinquish monitoring

Cluster ID: 10
Node   Priority Status         Preempt Manual   Monitor-failures

Redundancy group: 0 , Failover count: 1
node0  200      primary        no      no       None
node1  1        secondary      no      no       None

Redundancy group: 1 , Failover count: 1
node0  100      primary        no      no       None
node1  100      secondary      no      no       None

Redundancy group: 2 , Failover count: 2
node0  200      secondary      no      yes      None
node1  255      primary        no      yes      None

{primary:node0}[edit]
root@SRX-1# run show security utm web-filtering status
Sep 01 20:15:34
node0:
--------------------------------------------------------------------------
 UTM web-filtering status:
    Server status: Juniper Enhanced using Websense server DOWN

node1:
--------------------------------------------------------------------------
 UTM web-filtering status:
    Server status: Juniper Enhanced using Websense server DOWN

 

If you look at the above outputs,

 

• I have 3 RGs(RG0, RG1, and RG2) all of them were Primary on Node 0 and UTM was working fine.
• As soon as I initiated the failover of RG2 to Node 1, which doesn't even contain any interfaces, the UTM status became DOWN.

So, we can conclude that UTM won't work in the SRX series devices deployed in the chassis cluster with an Active/Active configuration except SRX1500 running Junos version 15.1X49-D30 and above.

Thanks for testing this. If you ever get the chance to test something else, can you test the same but this time with a inteface on the passive node, give it a IP and put it in a sec zone. Configure it as a normal interface not part of any RDG. Thanks

MFB,

 

The behavior is the same while configuring the physical interfaces rather than reth interfaces on the Secondary node. Also, the document explains the same. Please check the highlighted part below:

 

UTM is not supported for active/active chassis cluster configuration. Active/Active cluster is a cluster where interfaces can be active on both cluster nodes at the same time. This is the case when there are more than one data-plane redundancy-groups, i.e. redundancy-groups 1 and higher or when local (non-reth) interfaces are used on the cluster nodes.

With EWF, you can plan this way.

 

All the reth interfaces should ahve the member interfaces where you are having the RG0 master.

 

When you are failing over to another node, you will have to manually switch the RG0 to the same node where you are switching RG1 interfaces in that case this EWF will work.