Migrating a dynamic routing configuration from BIRD v1 to BIRD v2

Product concerned: SNS 4.8.1 and higher

As of SNS version 4.8.1, the BIRD v2 dynamic routing engine will be supported, and replaces BIRD v1, which has become obsolete.

When you upgrade to SNS version 4.8.1 a firewall with a configuration that initially used BIRD v1 dynamic routing, BIRD v1 will remain active even after the firmware has been updated.

This is because your configuration cannot be automatically transferred from BIRD v1 to BIRD v2, as the syntax used in the BIRD v2 dynamic routing configuration file is different from the syntax in BIRD v1.

One of the major changes is that in BIRD v2, IPv4 and IPv6 dynamic routing settings have been grouped into a single bird.conf file, unlike BIRD v1, which uses two separate files: the same bird.conf file for IPv4 and the bird6.conf file for IPv6.

The Dynamic routing module in SNS versions 4.8.1 and higher has been designed to assist you in the migration operation.

IMPORTANT
If your firewalls are managed by an SMC server, it is no longer possible to manage the dynamic routing of firewalls in versions 4.8.1 and higher from an SMC version lower than 3.6.

Understanding the Dynamic routing module

Go to Configuration > Network > Dynamic routing.

This module contains three tabs in which either version of BIRD can be enabled/disabled and configured.

NOTE
When one version of BIRD is disabled, the corresponding configuration tab will show the suffix "(INACTIVE)".
E.g., BIRD v2 (INACTIVE).

General tab

This option allows you to enable/disable the desired version of the BIRD dynamic routing engine.

After SNS firewalls in a version lower than SNS 4.8.1 are updated to SNS version 4.8.1 or higher, the configuration will be as follows:

  • BIRD v2: checkbox unselected by default.
  • BIRD v1: checkbox selected for firewalls that were initially configured only in IPv4, on which the IPv4 BIRD v1 configuration was active prior to the firmware update.
    The following checkboxes will appear only if firewalls were initially configured in IPv4 and IPv6:
    • IPv4: this checkbox is selected for firewalls on which only the IPv4 BIRD v1 configuration was active prior to the firmware update.
    • IPv6: this checkbox is selected for firewalls on which only the IPv6 BIRD v1 configuration was active prior to the firmware update.
    • IPv4 and IPv6: this checkbox is selected for firewalls on which the IPv4 and IPv6 BIRD v1 configuration was active prior to the firmware update.

BIRD v2 tab

This tab shows:

  • On the left side of the screen: a minimalist BIRD v2 configuration frame containing the basic mandatory sections,
  • On the right side of the screen: the firewall's original BIRD v1 configuration (IPv4 and/or IPv6).

This section also allows you to modify the firewall’s BIRD v2 configuration and validate it.

IPv4 BIRD v1 tab

This tab shows the original configuration on the firewall for the IPv4 dynamic routing managed by BIRD v1.

This section also allows you to edit and validate the configuration.

Optional IPv6 BIRD v1 tab

This tab shows the original configuration on the firewall for the IPv6 dynamic routing managed by BIRD v1.

This section also allows you to edit and validate the configuration.

It looks exactly like the IPv4 BIRD v1/IPv4 BIRD v1 (INACTIVE) tab.

Verification console

When you click on the Check configuration button in one of the BIRD configuration tabs shown below, the verification console located at the bottom of the screen shows the syntax errors encountered, if any.

Errors are identified in the console by their line numbers and column numbers. Line numbers that contain errors are also highlighted in red in the configuration:

 

Migrating from BIRD v1 to BIRD v2

Stormshield recommends that you follow the method below:

Preparing the BIRD v2 configuration

  1. Go to the BIRD v2 (INACTIVE) tab.
  2. By following the BIRD v2 configuration syntax, transpose the information from your BIRD v1 configuration (window on the right) to the BIRD v2 configuration (window on the left) in stages. As a reminder, in BIRD v2, IPv4 and IPv6 dynamic routing settings have been grouped into a single bird.conf file, unlike BIRD v1, which uses two separate files: the same bird.conf file for IPv4 and the bird6.conf file for IPv6.
    3. NOTE
    If you require assistance in this task, refer to the available resources, notably the BIRD v2 user guide published by BIRD, and the BIRD 1.6 to BIRD 2.0 transition notes.
  3. While you are making changes to the configuration, click regularly on the Check configuration button after the changes are made.
    At the bottom of the screen, the consistency checker will show you the syntax errors found in the BIRD v2 configuration.
    You cannot save configurations that contain syntax errors.
  4. When changes to the BIRD v2 configuration are made and validated (no errors shown in the Verification console), save the configuration by clicking on Apply, then Save.
    This operation creates a version of the BIRD v2 configuration that can be restored. If changes are made later to the BIRD v2 configuration, and you are unable to fix a configuration/syntax issue, the configuration at this stage can be restored by clicking on Go back to saved configuration.
  5. When the migration operation is complete, and you have saved your BIRD v2 configuration, you can enable BIRD v2 to check whether dynamic routing is running properly.

Checking the operation of dynamic routing

After you have enabled BIRD v2, if you detect issues with the way dynamic routing is running:

  1. In the General tab, disable BIRD v2 and enable BIRD v1 again to return to the state of the configuration before BIRD was migrated.
    You can then fix your BIRD v2 configuration, while BIRD v1 dynamic routing configuration remains active.
  2. Enable BIRD v2 again once the configuration has been fixed.

These operations can be repeated as often as required.