This change is intended to change the active/passive state of Juniper firewall pairs in one of two, or both Highly Available (HA) firewall clusters. Additionally, this procedure may be used in events of instability if one physical firewall in a cluster should require additional maintenance of hardware or troubleshooting as requested by the vender.
Testing will consist of utilizing common network apps that verify the flow of packets across mediums and endpoint to ensure expected results. Tests will be conducted to check both an expected packet drop (as designed) and a packet accept such as a known IFD exception for http.
Internal T&A will be used within Netscreen Manager Software as provided by the vendor and executed automatically on all cluster firewalls at boot.
1) Monitor via a ping a known traffic flow based on firewall exceptions.
2) Conduct a trace route to an off campus host and note the IPs within HSU's Class B.
3) Execute an automated fail-over command via the CLI of the affected firewall.
4) Monitor Ping for packet loss, which should be minimal and less than 1 second.
5) If packet loss lasts longer than 30 seconds, begin manual failover by physically removing the HA link 1/4 on Server Farm Firewalls, or 2/1 and 2/2 on edge firewalls.
6) Ensure packet flow is restored and packet loss is normal
7) Ensure connectivity between NSM server is successful.
8) Ensure trace route is basically the same, especially within the 137.150.248.x networks used within the firewall for routing on the edge or 22.214.171.124/29 within the server farm cluster.
9) test connectivity with a browser or other means and check throughput via speakeasy.net/speedtest
Check functionality for packet accepts on:
HTTP to Humboldt.edu
HTTPS to my.humboldt.edu
SSH to folders
Aruba OS to Remote Access Points in Marine Lab, other facilities off campus
Check functionality for packet drops on:
Restore previous configuration and/or HA state using NSM and/or CLI commands.