最近客戶的SonicWALL HA 升級,藉由此機會說明一下SonicWALL HA 架構及運作
根據官方內容,整理出一份表格,僅供參考
|
Model
|
Active/ Standby
|
Active /Active Clustering
|
Active/Active DPI
|
|
TZ 205
|
Support
|
N/A
|
N/A
|
|
TZ 215
|
Support
|
N/A
|
N/A
|
|
NSA 220
|
Support
|
N/A
|
N/A
|
|
NSA 250M
|
Support
|
N/A
|
N/A
|
|
NSA 2400
|
Support
|
N/A
|
N/A
|
|
NSA 3500
|
Support
|
N/A
|
N/A
|
|
NSA 3600
|
Support
|
N/A
|
N/A
|
|
NSA 4600
|
Support
|
N/A
|
N/A
|
|
NSA 5600
|
Support
|
Optional
|
Optional
|
|
NSA 6600
|
Support
|
Optional
|
Optional
|
|
NSA E5500
|
Support
|
Support
|
Support
|
|
NSA E6500
|
Support
|
Support
|
Support
|
|
NSA E7500
|
Support
|
Support
|
Support
|
|
NSA E8500
|
Support
|
Support
|
Support
|
|
NSA E8510
|
Support
|
Support
|
Support
|
針對SonicWALL HA 架構,名詞解釋
Active/ Standby:
一台為Primary SonicWALL 另一台為Backup SonicWAL在正常的情況之下Primary SonicWALL屬於Active狀態,平常所有流量都只會經過Active的SonicWALL,而Backup SonicWALL屬於Idle狀態,當Primary failover時,Backup會立刻把自己的狀態從Idle 更換成Active來處理網路流量。
下圖為SonicWALL HA簡易流程圖
Basic HA:
所有TZ系列防火牆僅支援Stateless,也就是說當Primary SonicWALL 不會把state tables 同步到Backup SonicWALL,當發生failover時,down time較長。(理論上:當failover,所有現存的連線必須重新建立)。
Virtual Mac:
兩台SonicWALL Interface 皆共享一組Mac Address,當failover 發生時,可以減短down time。
Stateful HA:
所有NSA系列防火牆皆支援Stateful,也就是說Primary SonicWALL 會把state tables 同步到Backup SonicWALL,當發生failover時,down time較短,(理論上:當failover,所有現存的連線不須重新建立)。
當然還是有部分內容不做同步,以下為原廠所整理出的表格
|
Information that is Synchronized
|
Information that is not Synchronized
|
|
VPN information
|
Dynamic WAN clients (L2TP, PPPoE, and PPTP)
|
|
Basic connection cache
|
Deep Packet Inspection (GAV, IPS, and Anti Spyware)
|
|
FTP
|
IPHelper bindings (such as NetBIOS and DHCP)
|
|
Oracle SQL*NET
|
SYNFlood protection information
|
|
Real Audio
|
Content Filtering Service information
|
|
RTSP
|
VoIP protocols
|
|
GVC information
|
Dynamic ARP entries and ARP cache timeouts
|
|
Dynamic Address Objects
|
Active wireless client information
|
|
DHCP server information
|
wireless client packet statistics
|
|
Multicast and IGMP
|
Rogue AP list
|
|
Active users
|
|
|
ARP
|
|
|
SonicPoint status
|
|
|
Wireless guest status
|
|
|
License information
|
|
|
Weighted Load Balancing information
|
|
|
RIP and OSPF information
|
Active/Active DPI:
上面有提到SHA 是不同步DPI Service 所以後來又出現了所謂Active/Active DPI
兩台SonicWALL 會把部分程序共同處裡(其餘程序還是由Active狀態的SonicWALL做處理),以下為共同處理程序
a. Gateway Anti-Virus (GAV)
b. Anti-Spyware
c. Intrusion Protection (IPS)
d. Application Firewall
當啟用此功能時,必須要在設定HA Data Interface 來處理DPI Service
Active /Active Clustering
此功能由於內容較多且複雜,下次再把完整的A/A Clustering 寫成一篇文件。
以上大概是目前SonicWALL HA簡介,接下來是我這次的重點
SonicWALL HA Firmware Upgrade 步驟
1. 確認網路架構
2. 備份SonicWALL 設定檔案
3. 設定Monitor IP Address
4. 上傳Firmware,重新開機
更新Firmware時,StatefulHA 開啟(有購買HA幾乎都會開啟此功能),則Preempt Mode 必須關閉
2. 備份SonicWALL 設定檔案
System >> Settings >> Export Settings
3. 設定Monitor IP Address
High Availability >> Monitoring >> X0 EDIT
新增兩組管理 Primary & Backup SonicWALL IP所使用 (此兩組IP不能被其他裝置所佔用)
4. 上傳Firmware,重新開機
設備會自動檢查到現在是在HA的狀態之下,是否要上傳Firmware
選擇Upload Firmware-New點選BOOT
HA 在升級時,會先從Status IDEL開始升級,並且自動重新開機,當Status IDEL 升級完成後,會自動升級Status Active,並且自動重新開機。
Refer:
https://www.fuzeqna.com/sonicwallkb/ext/kbdetail.aspx?kbid=7763