Netscreen Firewalls| Networks | CSCF | SCS | UW

[Please remove <h1>]

This document describes the steps required to have the Netscreen firewalls protect a subnet.  You should read this document entirely before beginning this process and you may wish to consult the Netscreen documentation to clarify certain concepts.

The two firewalls are in a cluster composed of two "virtual groups" named VSD 0 and VSD 1.  nsfw01 is the master for VSD 0, with nsfw02 as the backup.  nsfw02 is the master for VSD 1, with nsfw01 as the backup.  Because the two firewalls are in a cluster, all configuration changes, that we care about, made to one will automatically take effect on the other.  There are certain config commands that don't sync but they don't apply here.  You can read the vendor docs if you really want to know. 

You won't be able to even begin the process without knowing the following:

  • The name and complete network address of the subnet in question
  • The current route point for the subnet
  • Which firewall is going to act as the primary firewall for the subnet
  • The security zone that the subnet is to be a member of

You can find out the name and/or network number as well as the route point from the /etc/networks file on any xhiered Unix machine.  You should use traceroute to verify the route point for the network.  Determining which firewall will act as the primary (ie. the one doing all the work) will depend on the current perceived balance of load.  There's no easy answer. Other factors to consider include teaching vs. research, and geographical location of hosts on the subnet.  Determining the security zone should be easy, the policy is documented here.

You should make all changes to nsfw01. There are limitations to the web interface, therefore it's recommended that you use the CLI to make changes.  To minimize downtime required to move the route point, it's a good idea to define the CLI commands in a text file beforehand so that you can do a simple copy-paste when you do the actual move.

Each firewall has four physical interfaces, grouped into to logical "redundant" interfaces.  ethernet1/1 and ethernet1/2 are grouped as redundant1, and ethernet3/1 and ethernet3/2 are grouped as redundant2.  You shouldn't need to make changes to any configuration involving the redundant1 interface, nor the physical interfaces it's composed of.  On the Extreme switch side, you do need to make sure the vlan you are working with is on the trunk link with ethernet3/1 and ethernet3/2 of both firewalls.  On the Extreme switches, you may need to run show vlan <VlanName> and configure vlan <VlanName> add ports <ports connected to firewall>.

Backup the current configuration.

This can be done easily via the web interface. Go to the Configuration -> Update -> Config File menu. In the "Download Configuration from Device" menu, click on "Save to File".

Delete the existing route point.

On an Extreme switch, it involves running the following commands:
configure rip delete <vlanname>
unconfigure vlan <vlanname> ipaddress

Create new interfaces

On nsfw01, run get interface.  You'll see a list of interfaces in short form.  red2 is redundant2, red2.1 is the first sub-interface of redundant2 and red2.1:1 is the VSI interface corresponding to redundant2.1.  Think of the VSI interface as the interface for a vlan that's on the other firewall (and hence inactive on this firewall).  To add your subnet, you'll have to create a new sub-interface to reduandant2.  I'll use N to denote the next available sub-interface number.  If you want nsfw02 to act as the primary firewall for the subnet, you'll also need to create the VSI interface for the sub-interface you just created.  The very first thing to do is create the sub-interface and associate a vlan tag and security zone to it:

set interface "redundant2.N" tag <vlan id> zone "ZoneX"

If nsfw01 is to be the firewall for this subnet, then run the following:

set interface redundant2.N ip 129.97.<vlan id>.1/24
set interface redundant2.N:1 ip 129.97.<vlan id>.2/24

If nsfw02 is to be the firewall for this subnet, then run the following:

set interface redundant2.N:1 ip 129.97.<vlan id>.1/24
set interface redundant2.N ip 129.97.<vlan id>.2/24
Once you've set the IP Addresses, you now have to enable routing and allow people to ping the route points:
set interface redundant2.N route
set interface redundant2.N ip manageable
set interface redundant2.N manage ping
set interface redundant2.N protocol rip
set interface redundant2.N protocol rip enable
set interface redundant2.N:1 route
set interface redundant2.N:1 ip manageable
set interface redundant2.N:1 manage ping
set interface redundant2.N:1 protocol rip
set interface redundant2.N:1 protocol rip enable

You may wish to run get interface to confirm what you've done looks correct.

Making the routes public

Next you have to allow routes to be advertised to RIP neighbors.  The Netscreens have two virtual routers: trust-vr and untrust-vr.  The untrust-vr is the router for the "Untrust" zone (ie. anything coming through dccorenet on the redundant1 interface) and the trust-vr is the default router for the firewalls (ie. for all the other zones).  There are strict access controls applied to what's exchanged between untrust-vr and trust-vr.  There are already import/export filters and route-maps defined on each virtual router that refer to access lists.  You need to add the subnet to the appropriate access lists and route maps.  Run the commands:

get vrouter untrust-vr
get vrouter trust-vr

to determine the current configuration.  Pay close attention to the access-list for each virtual router, as well as the route-maps for the trust-vr.

First, add the subnet to the access list of the untrust-vr:

set vrouter untrust-vr access-list N permit ip 129.97.<vlan id>.0/24 X

where N is either 1 or 2, representing the main firewall for this subnet, nsfw01 or nsfw02 respectively. X represents the next sequence number available in the access-list that you are adding to.

Next, you need to go into the trust-vr instance. There, you will create a new access-list for the subnet and create a route-map linking the access-list you created to the main routing interface for that subnet.

set vrouter trust-vr 
set access-list Y
set access-list Y permit ip 129.97.<vlan id>.0/24 1
set route-map name "rtmap1" permit Y
set match interface <name of the .1 interface for this subnet>
set match ip Y
exit
exit

where Y represents the next available access-list number and route-map sequence number. (Dave thinks it matches X above, need to verify this however.)

At this point, you should run "show ip route 129.97.<vlan id>.0" on dc3558-cs1 (where nsfw02 vr-untrust ports are connected). If the entry "129.97.<vlan id>.0/24 172.19.5.2 1799 rip" for the subnet is not there, then you have done something wrong. If the entry is there but the wrong firewall is advertising the route, check your work for mistakes. If you think you did everything right and the wrong firewall is being advertised, seek help!


By jatestar, 2005/08/25
Updated by dlgawley, 2008/09/3