FireNet Advanced Config¶
FireNet Advanced Config applies to both TGW based FireNet and Aviatrix Transit FireNet.
Firewall Health Check and Failover Detection using LAN Interface¶
By default, Aviatrix Controller check the firewall’s health by pinging the firewall’s management IP address. In 6.0, firewall instance’s health can also be checked by pinging its LAN interface from the connecting Aviatrix FireNet gateway. This is an alternative approach which improves firewall failure detection time and detection accuracy.
The mechanism is that the FireNet gateway pings the firewall instance’s LAN interface every 5 seconds with a ping time out of 20ms. If the first ping times out, it immediately pings again. Two consecutive ping failures indicates the firewall is in down state and it is detached from the FireNet gateway pool. The ping functions continues and it detects the firewall instance has come up by successful pings, it is attached back to the FireNet gateway pool.
With LAN interface pinging, the firewall instance fail over time is reduced.
The following details describe how to enable ping on the firewall instance LAN interface.
Step 1: Enable ICMP on Firewall Devices¶
Palo Alto Network¶
Go to Network -> Network Profiles -> Interface Mgmt, create profile to allow ping
Next, Go to Network -> Interfaces, select “Ethernet 1/2”, go to Advanced tab -> Management Profile and select the profile just created in above step
Configure stack similar to Palo Alto Network shown above.
Go to SmartConsole -> Global Properties -> Firewall -> Accept ICMP requests.
Fortigate (Fortinet) ~~~~~~~~~~~~~~~~~~~~~~~~~~`
Go to Network -> Interfaces -> Edit Interface -> Check “PING” box
Step 2: Configure Aviatrix Controller¶
Go to Firewall Network –> Advanced –> Click the 3 vertical dots as shown below:
The expanded view shows the firewall deployed by the Aviatrix controller and towards the end of screen shot, one can enable/disable LAN side Health Check.
Step 3: Verify LAN Side ICMP Health Check¶
In this example, AWS and Check Point used to demonstrate the functionality as shown below:
Go to Check Point logs and Monitoring section, notice that the ICMP health check is initiated every 5 second from the Aviatrix Transit FireNet gateways. The 5 second setting is the default and cannot be changed.
You can enable and disable traffic inspection. When traffic inspection is disabled, FireNet gateway loops back all packets.
Egress through Firewall¶
This is to enable Internet bound egress traffic for inspection.
If you enable Fail Close, FireNet gateway drops all traffic when all firewalls are in Down state.