Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

High Availability Design for SRX Series Firewalls

One of the most important considerations for WAN design is High Availability. High availability ensures business continuity and disaster recovery by maximizing the availability and increasing redundancy within and across different sites.

Juniper® SRX Series Firewall High Availability (HA) design example is for administrators who want to deploy HA Juniper SRX Series Firewall at the Edge, but not for Whitebox setups.

In this documentation, you’ll find step-by-step guidance for setting up a highly available hub and spoke deployment using SRX Series Firewalls. Since this HA deployment builds upon the configurations referenced in the Juniper® Mist WAN Assurance configuration, you'll need to configure your network with those settings first. In this example, you'll learn how to setup SRX Series Firewalls in an HA cluster configuration.

Overview

You will deploy a highly available Hub and Spoke as shown in Figure 1. Here we see the SRX Series highly available Juniper Mist WAN Assurance topology for this HA Design Guide.

Figure 1: Juniper Validated Design Mist WAN Assurance with HA SRX Series WAN Edges Juniper Validated Design Mist WAN Assurance with HA SRX Series WAN Edges
Note:

Before you get started, be sure you’ve setup the topology described in the Juniper WAN Assurance Configuration Guide.

The topology uses one standalone and one high-available cluster setup of spoke and high-available cluster setup of hub on the other side.

The supported SRX Series high-available clustering for the WAN edge deployment requires local Layer2 adjacency for a spoke or a hub setup.

Before You Begin

  • Understand how to configure high-availability cluster with SRX Series Firewalls.
  • You'll need a dedicated HA-control interface that is defined by the device type. This interface is connected usually using a patch cable between the two devices. You must use the same port for HA control interface. To know which port your device supports, see Understanding SRX Series Chassis Cluster Slot Numbering and Physical Port and Logical Interface Naming.

    The WAN edge configuration might automatically select the fabric interface next to the HA control interface. For details, log in https://manage.mist.com and refer documentation.

  • You'll need a dedicated fabric-data interface. This interface is connected usually using a patchable between the two devices. For WAN edge configuration, selecting any port as fabric port is not supported. We recommend using the port the one next to the control port. Also see Chassis Cluster Fabric Interfaces.
  • Similar to virtual chassis, the ports on the secondary node are renumbered after the formation of chassis cluster.
  • Building the Cluster always involves the configuring two nodes and rebooting them after initial commands issues to build the cluster. See Example: Setting the Node ID and Cluster ID for Security Devices in a Chassis Cluster .

Interface Details for HA Cluster

Following samples show interfaces usage for the chassis cluster configuration.

Note:

Only the WAN1, WAN0 and LAN1 are changeable in the List below if they do not conflict with others which are not changeable.

Once you configure chassis cluster and reboot both the nodes, the second node (node 1) renumbers its interfaces as shown in the following sample. You have to use the interface numbering when you configure the second WAN/LAN interface in the Juniper Mist portal.

HA Interfaces

Each path and Node in an HA network require their own designated WAN interface. This ensures Active/Active usage, meaning that these interfaces stay active and engaged, no matter what. The WAN interfaces can contain either a static IP address or be linked to a DHCP-Lease, giving you flexibility in how you manage them.

In certain scenarios, you may be limited to just one WAN IP address, especially for MPLS Networks. In these cases, you can configure the interface as a shared VRRP interface between two Nodes. This sets up an Active/Passive usage of the links, maintaining the balance and ensuring continuity. A second IP address for that second node enhances your setup's performance even further.

Configure High Availability

You should have already configured Networks, Applications, Sites, Variables, Hub Profiles and WAN Edge Templates. If these steps are new to you, please follow the Mist WAN Configuration Guide first before proceeding with the HA design guide. See WAN Assurance Configuration Overview.

The following steps outline the process of creating high availability cluster.

Create a New Hub Profile

Now it’s time to add the second Node in your highly available Hub. In this next step, you’ll create a new Hub profile by cloning the existing one. Then, you’ll modify the clone to meet new requirements for the HA hub.

  1. In the Juniper Mist cloud portal, click Organization > WAN > Hub Profiles.
    Figure 2: Configure Hub Profiles Configure Hub Profiles

    A list of existing hub profiles, if any, appears.

  2. Click the hub profile ( hub1) that you want to clone.
    Figure 3: Select Hub Profile for Cloning Select Hub Profile for Cloning
  3. In the upper right corner of the screen, click More and select Clone.
    Figure 4: Selecting Clone Option Selecting Clone Option
  4. Name the new profile ( hahub.) and click Clone.
    Figure 5: Rename Cloned Hub Profile Rename Cloned Hub Profile
    Note:

    After you clone, refresh your browser. This makes sure everything updates properly.
  5. Modify the new profile and create four new WAN interfaces. Delete the existing WAN interfaces from the clone and configure the WAN interfaces according to the details provided in Table 1.
    Table 1: WAN Interfaces Details in Hub Profile
    Option First WAN Second WAN
    Name: (This indicates which topology it uses.) INET MPLS
    Interface ge-0/0/0, ge-5/0/0 ge-0/0/3,ge-5/0/3
    Redundant Enabled Enabled
    RE Index (as a convention, use the last octet as index) 0 0

    For the WAN interfaces, we've added a redundant interface according to the secondary node interface naming convention used for SRX340 to SRX380. Ensure that you use correct interfaces as per the SRX Series device you are configuring.

    Note:

    IP Address, prefix, gateway and public IP address remain same.

    The portal generates the overlay hub endpoints as hahub-INET and hahub-MPLS automatically.

    Figure 6 shows WAN interface configuration.

    Figure 6: WAN Interface Configuration (First) WAN Interface Configuration (First)
    Figure 7: WAN Interface Configuration (Second) WAN Interface Configuration (Second)
  6. Complete the configuration for the LAN interface.
    Figure 8: LAN Interface Configuration LAN Interface Configuration

    Configure LAN interface with the following details:

    • Interfaces: ge-0/0/4,ge-5/0/4
    • Redundant: Enabled
    • RE Index: 4 (As a convention, use the last octet as an index).
    Note:

    IP address and prefix do not change.
    Figure 9: LAN Interface Configuration LAN Interface Configuration
  7. Update the traffic steering rules for the new endpoint names.
    Figure 10: Traffic Steering Rules Traffic Steering Rules
  8. Retain the application policies rules.
    Figure 11: Application Policies Rules Application Policies Rules

Create Spoke Template

With our HA Hubs in place, it’s time to create matching spoke templates, one spoke in standalone and the other in high availability cluster setup. We create the new spoke template by cloning the existing one and then modifying the cloned template. In this example, we clone the existing template called “Spokes”.

  1. Create two matching spoke templates. You need spoke template for the device in standalone mode and another spoke template for devices in high availability cluster.

    In the Juniper Mist™ portal, click Organization > WAN > WAN Edge Templates. A list of existing templates, if any, appears.

    Figure 12: Accessing WAN Edge Templates Accessing WAN Edge Templates
  2. Create the new SpokeTemplate by cloning the existing template and modifying the clone. Simply select the existing profile Spokes and select Clone.
    Figure 13: WAN Edge Templates WAN Edge Templates
  3. In the upper right corner of the screen, click More and select Clone.
    Figure 14: Cloning Existing WAN Edge Template Cloning Existing WAN Edge Template
  4. Name the new Hub Profile: haspoke.
    Figure 15: Renaming Cloned Template Renaming Cloned Template

    Best practice: Refresh your browser after cloning. This ensures that objects are refreshed.

  5. Modify the new profile and create four new WAN interfaces. Delete the existing WAN interfaces from the clone and configure the WAN interfaces according to the details provided in Table 1.
    Table 2: WAN Interfaces Details in Hub Profile
    Option First WAN Second WAN
    Name: (This indicates which topology it uses.) INET MPLS
    Interface ge-0/0/0, ge-5/0/0 ge-0/0/3,ge-5/0/3
    Redundant Enabled Enabled
    RE Index (as a convention, use the last octet as index) 0 0
    Overlay Hub Endpoints hahub-INET hahub-MPLS
    Note:

    IP configuration does not change.

    For the WAN interfaces, we've added a redundant interface according to the secondary node interface naming convention used for SRX340 to SRX380 devices. Ensure that you use correct interfaces as per the SRX Series device you are configuring.

    Figure 6 shows WAN interface configuration.

    Figure 16: WAN Interface Configuration (First) WAN Interface Configuration (First)
    Figure 17: WAN Interface Configuration (Second) WAN Interface Configuration (Second)
  6. Modify LAN interface configurations. The LAN configuration follows a similar pattern as WAN Interface.
    • Interfaces—ge-0/0/4,ge-5/0/4
    • Redundant—Enabled
    • RE Index—4 (use the last octet as index)
    • IP Address and Prefix do not change.
    Figure 18: LAN Interface Configuration LAN Interface Configuration

    shows LAN interface configuration.

    Figure 19: LAN Interface Configuration LAN Interface Configuration
  7. Modify the traffic steering profile named “Overlay” to use only the two new Hub endpoints.
    Figure 20: Traffic Steering Profile Traffic Steering Profile

    shows that the traffic steering rules now point to the HA hub endpoints—hahub-INET and hahub-MPLS.

    Figure 21: Modified Traffic Steering Rules Modified Traffic Steering Rules
  8. Retain the application policies without making any changes.
  9. Assign the spoke template to site. Scroll to the top of the WAN Edge Templates page and click Assign to Sites under Spokes pane.
    Figure 22: Assign Spoke Template to Sites Assign Spoke Template to Sites
  10. In the Assign Template to Sites, check that you are using the haspoke template and select the site spoke2-site before you hit Apply.
    Figure 23: Selecting Site for Assigning Spoke Template Selecting Site for Assigning Spoke Template
  11. Check that your Template has now at least 1 Site assigned.
    Figure 24: Spoke Templates Applied to Sites Spoke Templates Applied to Sites

Create the Second Spoke Template

Now it’s time to clone our WAN Edge template for our redundant spoke node.

  1. In the Juniper Mist cloud portal, click Organization > WAN > WAN Edge Templates. A list of existing templates, if any, appears.
    Figure 25: WAN Edge Template WAN Edge Template
  2. Create the new Spoke Template by cloning the existing and modifying the clone. Click on the existing profile haspoke.
    Figure 26: Select WAN Edge Template for Cloning Select WAN Edge Template for Cloning
  3. In the upper right corner of the screen, click More and select Clone.
    Figure 27: Cloning WAN Edge Template Cloning WAN Edge Template
  4. Name the new template as spoke-to-hahub and click Clone.
    Figure 28: Renaming Cloned Template Renaming Cloned Template

    If you see any errors while naming the profile, refresh your browser.

    There are not many differences between this template and the former template; except the Hub Endpoints for the WAN interfaces.

  5. Modify the interfaces for the template.

    Change the Overlay Hub EndPoints as following:

    • For the interface INET—hahub-INET
    • For the interface MPLS—hahub-MPLS
    Figure 29: Modify WAN Interfaces Modify WAN Interfaces
    Figure 30: Edit WAN Interfaces Edit WAN Interfaces

    shows configured WAN interfaces.

    Figure 31: WAN Interfaces Configuration WAN Interfaces Configuration
  6. The LAN interfaces are no longer redundant. No changes required for them.
    Figure 32: LAN Interfaces LAN Interfaces
  7. Modify the traffic steering profile (Overlay) to use only the two new hub endpoints (hahub).
  8. Application Policies are the same as in the last Template and do not change the rules.
  9. Assign the spoke template to site. Scroll to the top of the WAN Edge Templates page and click Assign to Sites under Spokes pane
    Figure 33: Assign Template to Site Assign Template to Site
  10. In the Assign Template to Sites pane, ensure that you are using the spoke-to-hahub template and select the site spoke1-site
    Figure 34: Assign Templates to Site Assign Templates to Site
  11. Click Apply.
  12. Ensure that your template is now assigned to a site. Check that your Template now has at least 1 Site assigned as shown in the following illustration:
    Figure 35: Spoke Templates Applied to Sites Spoke Templates Applied to Sites

    The following image shows the list of configured spoke templates:

    Figure 36: List of WAN Edge Templates List of WAN Edge Templates

Onboard your Devices

We assume that you have your SRX Series Firewall already onboarded to the Juniper Mist™ cloud. We also assume that the physical connections such as cabling are already in place and that you are using valid interfaces for the high availability. All devices that are part of high availability cluster starts in standalone mode and the Mist cloud portal configuration enables devices to operate in cluster mode.

You can Claim or Adopt to onboard devices into your organization inventory. For details on getting your SRX Series Firewall up and running in the Mist cloud, see Cloud-Ready SRX Firewalls.

  1. In the Juniper Mist portal. click Organization > Admin >Inventory.
    Figure 37: Navigating to Inventory Navigating to Inventory
  2. Refresh your browser and check under WAN Edges to find out if your SRX Series Firewall is part of the inventory. Ensure you set the view as org (Entire Org) as shown in Figure 38.
    Figure 38: SRX Series in Inventory SRX Series in Inventory
  3. Select the two devices/nodes together for the HA hub and click Assign to Site.
    Figure 39: Assigning SRX Series Firewalls (HA Pair) to Site Assigning SRX Series Firewalls (HA Pair) to Site
  4. In Assign WAN Edges page, select hub1-site and enable the Create Cluster option.
    Figure 40: Assign Spoke Devices to Site and Initiate Cluster Formation Assign Spoke Devices to Site and Initiate Cluster Formation
  5. Click Assign to Site.

    The portal displays the details of WAN edge devices assigned to site and progress of cluster formation. You can close this dialog box.

    Figure 41: HA Cluster Formation for Assigned Devices HA Cluster Formation for Assigned Devices
  6. In the Juniper Mist portal, click Organization > WAN > Hub Profiles. The Hub Profile displays the list of existing profiles.
    Figure 42: Navigating to Hub Profiles Navigating to Hub Profiles
  7. Click the hub profile (hahub) that you want to assign to a site.
    Figure 43: Select Hub Profile Select Hub Profile
  8. Under the Applies To option, select the site (hub1-site) from the list of available sites.
    Figure 44: Select Sites for Applying Hub Profile Select Sites for Applying Hub Profile
  9. Check if have correct WAN Edge device selected, and click Save.
    Figure 45: Select WAN Edge Device to Apply Template Select WAN Edge Device to Apply Template
  10. You should now see the HA devices assigned to their Hub Profile in the as shown in Figure 46.
    Figure 46: Hub Profile Assignment Summary Hub Profile Assignment Summary
    Note:

    Wait for some time until the setup is up and running! Rebooting a cluster setup takes longer time than a standalone device.
  11. In the Juniper Mist portal. click Organization > Admin > Inventory.
  12. Select the spoke device (SPOKE1) and click Assign to Site.
    Figure 47: Assign Spoke Device To Site Assign Spoke Device To Site
  13. In Assign WAN Edges page, select spoke1-site.
    Figure 48: Assign WAN Edge Device to Site Assign WAN Edge Device to Site

    For now, do not select the Manage configuration with Mist option. You can enable this option later. We recommend selecting Use site settings for App Track License.

  14. Click Assign to Site.

    The system confirms the assignment to the site as shown in

    Figure 49: Assigned to Site Assigned to Site
  15. Select the two spoke devices that will form cluster (Spoke-Cluster) and click Assign to Site.
    Figure 50: Assign Spoke Devices to Site Assign Spoke Devices to Site
  16. In the Assign WAN Edges, select spoke2-site and enable Create Cluster .
    Figure 51: Assign two Spoke Devices to Site and Initiate Cluster Formation Assign two Spoke Devices to Site and Initiate Cluster Formation
  17. Go to Inventory Page. Figure 52 shows the details of devices assigned to site and high availability pairs.
    Figure 52: Inventory Display of HA Pair Details Inventory Display of HA Pair Details
  18. Verify the correct device is selected, click the Enable Configuration Management option.
  19. Save your changes.
    Figure 53: Saving Spoke Device Configuration Changes Saving Spoke Device Configuration Changes

    Now you have a topology with highly available hub and spoke of SRX Series using the WAN Assurance solution.

  20. (Optional) In Juniper Mist portal, go to WAN Edges and select hub1-site.
  21. Change the name as "HUB1HA” and save the changes. Similarly, you can rename spoke2-site as "SPOKE2HA".
    Figure 54: Renaming Hub and Spoke HA Cluster Setup Renaming Hub and Spoke HA Cluster Setup Renaming Hub and Spoke HA Cluster Setup

    High availability cluster formation might take approximately 30 minutes or more.

    If you review the spoke template assignments, you can notice that a cluster setup is considered as a single device.

    Figure 55: WAN Edge Template Assignments WAN Edge Template Assignments

    In the device inventory you can see the cluster setup displayed as single device. But the system displays MAC addresses of both devices that are part of cluster setup.

    Figure 56: Device Inventory Device Inventory

    On the dashboard, for example, for the spoke devices that are part of high availability cluster, you can see the notion of primary and secondary device.

    Figure 57: Example of SRX345 High Availability Cluster Display Details. Example of SRX345 High Availability Cluster Display Details.

    The Properties pane displays the two devices that are part of high availability cluster.

    Figure 58: Properties Pane Properties Pane

Replace an SRX Series Firewall Node in a High Availability Cluster

You can replace an SRX Series Firewall device from a high availability cluster setup with few simple steps.

Before you replace a SRX Series Firewall node from the cluster, you must:

  • Remove the cluster fabric cables from the node being replaced and connect it to the new replacement node.
  • Make sure that the replacement SRX Series Firewall is both the same model as the device being replaced and has a same Junos OS version.
Note: Replacing a node in a high availability setup cause minimal impact on network services. Therefore, we recommend that you plan for a maintenance window to do this task.
To replace an SRX Series Firewall node in a cluster:
  1. In the Juniper Mist portal, on the left navigation bar, go to Organization > Admin >Inventory and select WAN Edges tab.
    Alternatively, select WAN Edges > WAN Edges page.
    The page displays a list of WAN edge devices. You can set the view as org (Entire Org) or Site in the inventory page.
  2. Click the high availability pair that you want to replace.
  3. Select Utilities > Replace WAN Edge.
  4. On the Replace WAN Edge window, select the old SRX Series node that you want to replace and select the new replacement device’s MAC address from the MAC Address of unassigned WAN Edge drop-down list.
    Figure 59: Replace SRX Series Firewall in HA with Another Device Replace SRX Series Firewall in HA with Another Device

    After you click Replace, allow about 15 minutes to complete the replacement procedure.

    Refresh your browser and check under WAN Edges to find out if your SRX Series Firewall high availability setup is updated and available as a part of the inventory.

Replace a Standalone SRX Series Firewall

You can replace connected or disconnected SRX Series Firewall with another SRX Series Firewall of the same model.

  1. In the Juniper Mist portal, on the left navigation bar, go to Organization > Admin >Inventory and select WAN Edges tab.
    Alternatively, you can also go to WAN Edges > WAN Edges page.
    The page displays a list of WAN edge devices. You can set the view as org (Entire Org) or Site in the inventory page.
  2. Click the SRX Series Firewall that you want to replace.
  3. Select Utilities > Replace WAN Edge.
  4. On the Replace WAN Edge window, select the new replacement device’s MAC address from the MAC Address of unassigned WAN Edge drop-down list.
    Figure 60: Replace a Standalone SRX Series Firewall Replace a Standalone SRX Series Firewall

    Juniper Mist portal displays a list of supported models available in the inventory page in unassigned state.

    After you click Replace, allow about 15 minutes to complete the replacement procedure. System copies the configuration of the replaced SRX Series firewall into the new device. The replaced SRX Series continues to be part of the site in unassigned state.

    Refresh your browser and check under WAN Edges to find out if your SRX Series Firewall is available as a part of the inventory.

Delete a High Availability Cluster

  1. In the Juniper Mist portal, on the left navigation bar, go to Organization > Admin >Inventory and select WAN Edges tab.
    Alternatively, select WAN Edges > WAN Edges page.
    The page displays a list of WAN edge devices. You can set the view as org (Entire Org) or Site in the inventory page.
  2. Select the high availability pair and click Delete Cluster under More.

    Click Confirm on the Confirm Delete Cluster message.

    Figure 61: Delete SRX Series Cluster Delete SRX Series Cluster

    Juniper Mist re-provisions the devices as standalone devices in the same site.

    Refresh your browser and check under WAN Edges to find out if your SRX Series Firewalls are available as standalone devices in the inventory.

See Also