Get Help

Online: Request Help
Phone: (707) 826-4357 • Hours
Walk-In: Library 101 • Hours
Reset HSU Password
System Status

Juniper Firewall Topology/State Change

Printer-friendly version

This change is intended to change the active/passive state of Juniper firewall pairs in one of two, or both Highly Available (HA) firewall clusters. Additionally, this procedure may be used in events of instability if one physical firewall in a cluster should require additional maintenance of hardware or troubleshooting as requested by the vender.

This event happens during large scale maintenance upgrades such as the 3-4 year refresh of ITRP, ITRP2, & now CNI. It may also be required after a core crash, where network administrators must restore optimal switching paths once core hardware and/or configs have been replaced/modified. Typically, on the average this procedure may occur manually once or twice a year.
Impact of Change: 
Test Plan: 

Testing will consist of utilizing common network apps that verify the flow of packets across mediums and endpoint to ensure expected results. Tests will be conducted to check both an expected packet drop (as designed) and a packet accept such as a known IFD exception for http.

Internal T&A will be used within Netscreen Manager Software as provided by the vendor and executed automatically on all cluster firewalls at boot.

Communication Plan: 
Systat and word of mouth to Central IT Director & where applicable other network analysts (such as the on call tech).
Implementation Procedure: 

1) Monitor via a ping a known traffic flow based on firewall exceptions.
2) Conduct a trace route to an off campus host and note the IPs within HSU's Class B.
3) Execute an automated fail-over command via the CLI of the affected firewall.
4) Monitor Ping for packet loss, which should be minimal and less than 1 second.
5) If packet loss lasts longer than 30 seconds, begin manual failover by physically removing the HA link 1/4 on Server Farm Firewalls, or 2/1 and 2/2 on edge firewalls.
6) Ensure packet flow is restored and packet loss is normal
7) Ensure connectivity between NSM server is successful.
8) Ensure trace route is basically the same, especially within the 137.150.248.x networks used within the firewall for routing on the edge or within the server farm cluster.
9) test connectivity with a browser or other means and check throughput via

Change Approval: 
Lead Network Analyst in emergencies. Director of Central IT in all other cases.
Production Validation Plan: 

Check functionality for packet accepts on:
SSH to folders
Aruba OS to Remote Access Points in Marine Lab, other facilities off campus

Check functionality for packet drops on:

Backout Plan: 

Restore previous configuration and/or HA state using NSM and/or CLI commands.

Not Approved