We have been handling cluster of TippingPoint NGFW for quite a while now. These NGFW cluster are configured to function only as inline Intrusion Detection/Prevention System. One thing I want to share is my experiences with the Configuration "Out-of-Sync" issue which pops up every now and then whenever we make changes on the Active device and then "push configuration to peer" to the Passive device.
As observed from my end, these "Out-of-Sync" issue only occurs when I configured the IPS filter exception rules on the Active device. However in general, these are rectified by manually comparing the two devices configuration. Below is my scenario and the steps I have undertaken.
After making changes on the Active NGFW, I manually pushed the configuration via CLI.
As observed from my end, these "Out-of-Sync" issue only occurs when I configured the IPS filter exception rules on the Active device. However in general, these are rectified by manually comparing the two devices configuration. Below is my scenario and the steps I have undertaken.
After making changes on the Active NGFW, I manually pushed the configuration via CLI.
NGFW1{}high-availability push-config
WARNING: The running configuration will be copied to the peer device and then saved on both devices. Continue (y/n)? [n]: y
Pushing configuration ..................................... SUCCESS
Then I verify if the cluster configuration is synchronized.
NGFW1{}show cluster
Cluster Status
--------------
Name: NGFW
Identifier: 1
State: Enabled
Master: NGFW1
Members
-------
Name: NGFW1
Identifier: 1
Uptime: 12 weeks, 3 days, 15 hours, 35 minutes, 45 seconds
Joined Time: Thu Oct 8 15:12:20 2016
SMS management: Disabled
Hardware Model: S8010F
Serial Number: N-S8010F-50R4-XXXX
Software Version: 1.2.3.xxxx
HA State: Active
Cluster State: Enabled
Health: Normal
Health Score: 100%
Configuration Sync: Out-of-Sync
Configuration Control: Remote
Configuration Hash: fee095f242d4aec3a9bcc2b3de782056
Name: NGFW2
Identifier: 2
Uptime: 12 weeks, 2 days, 18 hours, 36 minutes, 13 seconds
Joined Time: Thu Oct 8 15:12:20 2016
SMS management: Disabled
Hardware Model: S8010F
Serial Number: N-S8010F-50R4-XXXX
Software Version: 1.2.3.xxxx
HA State: Passive
Cluster State: Enabled
Health: Normal
Health Score: 100%
Configuration Sync: Out-of-Sync
Configuration Control: Local
Configuration Hash: e95329e8e05b2cb75dc45f9a9626a57a
Failover Groups
---------------
Identifier: 0
Name:
Base MAC:
Mode: Active-Passive
As we can see, the cluster has a configuration "Out-of-Sync" issue with the configuration hash not the same. And no matter how I pushed the configuration to the peer, this error does not resolves itself. In order to resolved this, I performed CLI access to both devices (Active and Passive NGFW) and copied/logged the configuration from the terminal.
NGFW1{}edit
# Note: before running this, ensure session log to file is enabled
NGFW1{running}display
...<snipped>...
exit
NGFW1{running}
Once you have the configurations (i.e. session logs) from both device, use a text editor with compare functionality. On my end, I used Notepad++ compare plugin. Below showed the disparity from both device configuration.
As we can see, the filter exceptions are not being pushed to the Passive device. As such, I manually made configuration changes on the Passive NGFW reflecting the discrepancies.
After making the changes on the Passive device, checking on the cluster status shows.
After making the changes on the Passive device, checking on the cluster status shows.
NGFW1{}show cluster
Cluster Status
--------------
Name: NGFW
Identifier: 1
State: Enabled
Master: NGFW1
Members
-------
Name: NGFW1
Identifier: 1
Uptime: 12 weeks, 3 days, 15 hours, 45 minutes, 25 seconds
Joined Time: Thu Oct 8 15:12:20 2016
SMS management: Disabled
Hardware Model: S8010F
Serial Number: N-S8010F-50R4-XXXX
Software Version: 1.2.3.xxxx
HA State: Active
Cluster State: Enabled
Health: Normal
Health Score: 100%
Configuration Sync: In-Sync
Configuration Hash: fee095f242d4aec3a9bcc2b3de782056
Name: NGFW2
Identifier: 2
Uptime: 12 weeks, 2 days, 18 hours, 46 minutes, 13 seconds
Joined Time: Thu Oct 8 15:12:20 2016
SMS management: Disabled
Hardware Model: S8010F
Serial Number: N-S8010F-50R4-XXXX
Software Version: 1.2.3.xxxx
HA State: Passive
Cluster State: Enabled
Health: Normal
Health Score: 100%
Configuration Sync: In-Sync
Configuration Hash: fee095f242d4aec3a9bcc2b3de782056
Failover Groups
---------------
Identifier: 0
Name:
Base MAC:
Mode: Active-Passive
This is rudimentary fix to the issue. I have raised this issue with Trend Micro who now owns TippingPoint. So far, I have to wait to the next firmware release.
HTH!