Documente Academic
Documente Profesional
Documente Cultură
How do I configure a pair of Juniper firewall's for Active/Passive High Availability (NSRP)?
What are the minimum NSRP commands required?
The basic configuration steps for the following topology are documented in this solution.
Minimum software and hardware requirements for configuring Active/ Passive NSRP:
Firewall's with identical ScreenOS versions and license keys
Firewall's with identical hardware
At least one interface on each firewall to be configured in the HA zone, which will be used for carrying
control channel information
For more information on the software and hardware requirements for NSRP, refer to KB11432.
SOLUTION:
For assistance with configuring a pair of firewalls for NSRP, follow the steps below.
These instructions were performed on a SSG-500. The same concept applies to the other models that support
NSRP; the difference being the interface notation or dedicated HA port.
Perform basic configuration on Firewall-A. Bind the interfaces to the zones desired, and configure an IP
address on the interfaces.
set
set
set
set
interface
interface
interface
interface
ethernet0/3
ethernet0/1
ethernet0/3
ethernet0/1
zone untrust
zone trust
ip 10.1.1.2/24
ip 1.1.1.1/24
You may also configure policies, VPNs, etc, and get the firewall working as designed. Then proceed to the next
step when ready to configure NSRP.
OR
It is also possible to do minimal configuration as above and proceed onto the next step to configure NSRP. Then
once the Active/Passive pair is configured for NSRP, subsequent configuration commands (policies, VPNs, etc)
will be automatically sync'd to the other firewall.
Start configuring NSRP by choosing the interface(s) for HA. In our example, it is eth0/4. For more
information on assigning the HA ports, refer to KB11296.
The following will be reported shortly after you enter the above command:
Reset Firewall-B.
IMPORTANT: If you are prompted to save the configuration after you enter the reset command, answer n (No).
Then, proceed with the reboot by answering y (Yes).
firewall-B(B)-> reset
firewall-B(B)-> Configuration modified. Save? [y]/n n
firewall-B(B)-> System reset. Are you sure? y/[n] y
After the boxes have rebooted, synchronize the RTOs (Run-Time Objects):
To set the preempt option, enter the following command always on the device which has the lowest priority value.
You should add this command on only one device, the device that you want to be always Master:
PURPOSE:
Configuration