H3C Firewall initialization, version upgrade, HA & Failover SecPath F5000
Summary Insights:
- In Network security section I have covered some basic concepts & my practical project delivery experience in Fortinet & Palo Alto posts, Today will explain about H3C SecPath F5000 Firewall initialization, Version upgrade, High availability (HA) in H3C called Remote backup management (RBM) & Failover of firewalls in hot backup scenario. Finally, will compare some HA feature with other vendor’s firewall.
H3C Firewall HA/RBM–Explained in Video
CLI Access:
I have connected my laptop directly to firewall with console cable, default management IP address (192.168.0.1/24) configured on GE1/0/0 interface.
Default username & password is admin/admin
Port GE1/0/0 is combo port & fibre enable by default, what this means let me explain
Combo port:
combo port means it’s one logical port but connected to two physical connectors inside circuit board one with RJ45 & another with Optical SFP connector. You can use anyone just enable that feature under interface.
In H3C firewall fiber is enable under combo port means if you connect UTP cable it will not work , need to enable copper first.
GUI Access:
LAN cable is connected now let’s access through GUI ,
In browser https://192.168.0.1 , default username & password is admin/admin
Change the password in first attempt than click on apply.
Just check & click yes if you want to quick review configuration Wizard page otherwise click No.
Choose the firewall access mode , there are two mode Routing & transparent ,default is Routing mode, I am just leaving the default setting & click on Dashboard.
This is the main GUI Dashboard, on top horizontal there are Monitor, policies, Objects , Network & system options.
In H3C SecPath F5000 Firewall no any default policy configured, as in Fortinet firewall there is Implicit allow any-any from LAN → WAN
Click on Network & check interfaces details, as GE1/0/0 is by default in management zone
H3C Firewall Zone:
There are five zone in H3C SecPath F5000 . Local,trust,DMZ,Untrust & Management zone.
Version Upgrade:
Let me show you version upgrade but before upgrade check some basic configurations & security policy, especially if you are accessing through non-management interface, for management GE1/0/0 mostly things already allowed by default.
Go to System–> upgrade center–>software upgrade–>upgrade immediately
Select & upload the latest version file
File has uploaded –> click Ok
It will take 20 to 40 minutes or maybe less, don’t remove LAN cable during this time
Wait till completion
During rebooting connection will be disconnected just wait & reload browser
Version has been upgraded
High availability (HA) | Remote backup management (RBM):
Let me configure Firewall HA in H3C called RBM, before that some basic configuration
Primary Firewall Configuration:
Aggregation link b/w two firewall will use for HA/RBM communications
Create Zone & security policy & add interface as per diagram
Configure track on interface, if the track link down then failover the primary firewall to secondary
Configure remote group for HA/RBM & track configuration
Run below command to check firewall status
#Remote-backup-group status
Management role is primary & running status is Active
Secondary Firewall Configuration:
Interface & zone configuration is same but in remote backup group few commands are different as below
After execution these command you will notice that for primary & secondary their P & S letter in cli for representation. (Primary & Secondary).
Check the secondary firewall status
Management role is Secondary & running status is Standby
NOTE:
After HA/RBM establishes the CLI will not same means primary firewall have different & secondary firewall have different cli.there is no single cli like in Fortinet.
After running above command the HA will establish & track is used for failover like if the track interface has down then the primary firewall will be secondary & secondary will be primary.
Switchover/failover of H3C firewall:
I have experienced different method of H3C Firewall switchover below
Track interface Down switchover:
If anyone or both track 1/2 means XGE1/1/2 or XGE1/1/3 interface goes down than the firewall running active status will change from primary to secondary firewall.
In track interface goes down all traffic will shift means 100% traffic.
Manual switchover through command:
There is one command under remote back group for manual switchover as below
#Switchover request
Run above command then yes
Running status of primary Firewall has been change to standby from Active
After running this command I observed that almost half 50% traffic shifting & its changing because its logical switchover just for testing.
HA/RBM Link goes down:
As per my experience in one project when shutting down the RBM/HA link then both firewall become primary & active status but the traffic is going on that old primary firewall before shut the HA port as the session is active there & the traffic will continue on that old path not shifting.
Compare HA with Fortinet:
There are multiples different points but I mentioned only three below.
Hi ,
My clients setup is There are 2 ISP’s, one for MPLS (10.96.0.0/24) and the other one is DIA (223.130.19.32/29). I set the MPLS on VLAN 1023 and DIA is VLAN 1026. Both ISP’s are connected to a WAN Switch going down to 2 Firewalls in HA. The MPLS is connected on FW1 at GE1/0/1 and the DIA is connected at FW 2 at GE1/0/1. Then going down, the firewall is connected to 2 Coreswitches that is in IRF. The ports on both firewalls going to coreswitches are XGE1/0/14 and XGE1/0/15 using 10G uplink SFPs.
Also ther are 5 major VLANs to be configured for zones
1. VLAN3 – Employee LAN – (100 – Gets full access, allowed to initiate connections to any zone) – Virtual IP: 10.73.3.7
2. VLAN95 – SEC LAN – (CCTV,Door Access Network) – Virtual IP: 10.73.95.7
3. VLAN 90 – Guest Network – (50 – Can go to WAN, but blocked from LAN and SEC unless explicitly allowed.) – Virtual IP: 10.73.90.7
4. WAN Value (WAN) – (0 – Restricted)
5. WAN Value (DIA) – (0 – Restricted)
can you help me with the configuration in firewall?
Thank you for sharing the details. Could you please provide me with your email address so I can reach out directly and support you with the firewall configuration?
you can reach me at [email protected]
On this example what would be the configuration on the switch port ?
The following configurations are applied on the switch interfaces toward the firewall. In our setup, all gateway IP addresses and DHCP pools are configured on the Core switch.
#
interface Route-Aggregation1
description ***Toward-Firewall***
ip address x.x.x.x
link-aggregation mode dynamic
#
Add physical ports in Aggregation
The Below configurations on the Firewall port toward the Switch
#
interface Route-Aggregation1
description ***Toward Core-Switch***
ip address x.x.x.x
link-aggregation mode dynamic
manage ping inbound
manage ping outbound
#
Add physical ports in Aggregation
This is very helpful. Thanks readtech team.
Really appreciate your feedback 🙏, Happy to know this helped you.