Configuring virtual firewalls in HA on the vSphere hypervisor
Whenever you create a high availability firewall cluster in a VSphere environment, you may encounter issues when attempting to connect to the cluster remotely in the following architectures:
Firewalls hosted on the same ESX server and connected to vSwitches:
Firewalls hosted on two separate ESX servers and connected to vSwitches:
Firewalls hosted on two separate ESX servers and connected to dvSwitches:
Thanks to VMWare tools, the virtual switch (vSwitch/dvSwitch) automatically learns the MAC addresses of appliances connected to these ports.
Since both members of a Stormshield firewall cluster have the same MAC address by default, when there are network packets for a particular MAC address, the virtual switch always sends them only to the firewall bearing this address regardless of its status in the cluster (active or passive). Therefore, if the virtual switch (vSwitch/dvSwitch) sends packets to the passive firewall, these packets will be automatically ignored.
The solution is to delete the MAC addresses imposed in the configuration of both firewalls. Perform this operation through the web administration interface or the firewall's system console.
Using the web administration interface
In the Network > Interfaces menu > Advanced properties tab > Physical (MAC) address field, delete all customized MAC addresses for network interfaces on virtual firewalls and apply your changes.
Using the system console
- In the configuration file /usr/Firewall/ConfigFiles/network, delete all lines containing the entry "MacAddress=".
- Next, type the system commands ennetwork and then hasync in order to apply these changes and synchronize the active firewall's configuration with the passive firewall's configuration.
Depending on the network devices connected to the Stormshield Network firewalls, and mainly according to their set ARP timeout values, more time may be required to restore connections when the roles of the firewalls are changed within the cluster (active/passive).