Background:

A high profile customer would like to convert one of their VPNs (over 100) into a MPLS connection since they are already paying for the MPLS services.

 

Summary:

Step 1. Interface Change

Step 2. Dashboard Update

Step 3. Rules modification 

Step 4. Static routes addition

Step 5. Remove previous vpn community 


Step1. Interface Change


- ssh to the primary firewall and open WebUI

- Configure the target interface with IP and subnet
- High Availability > Advanced VRRP > Virtual Routers > Add > Interface: eth4-05 > Virtual Router ID: 90 > Backup Addresses Add: 10.1.1.100 (VRRP address) > Monitored Interfaces Add: (all interfaces other than itself) > Add eth4-05 to all VRIDs: (all VRIDs other than itself)Monitored Interfaces > Save

##Note Start#######################################################################
(if you are not comfortable with GUI method, here is CLI method)
ssh to the primary firewall > cli > run the following commands
----------------------------------------------------
set vrrp interface eth4-05 monitored-circuit vrid 90 on
set vrrp interface eth4-05 monitored-circuit vrid 90 priority 100
set vrrp interface eth4-05 monitored-circuit vrid 90 hello-interval 1
set vrrp interface eth4-05 monitored-circuit vrid 90 monitored-interface eth2-01 on
set vrrp interface eth4-05 monitored-circuit vrid 90 monitored-interface eth2-01 priority-delta 10
set vrrp interface eth4-05 monitored-circuit vrid 90 monitored-interface eth2-02 on
set vrrp interface eth4-05 monitored-circuit vrid 90 monitored-interface eth2-02 priority-delta 10
set vrrp interface eth4-05 monitored-circuit vrid 90 monitored-interface eth2-03 on
set vrrp interface eth4-05 monitored-circuit vrid 90 monitored-interface eth2-03 priority-delta 10
set vrrp interface eth4-05 monitored-circuit vrid 90 monitored-interface eth2-04 on
set vrrp interface eth4-05 monitored-circuit vrid 90 monitored-interface eth2-04 priority-delta 10
... ...
set vrrp interface eth4-05 monitored-circuit vrid 90 backup-address 10.1.1.100 on

set vrrp interface eth2-01 monitored-circuit vrid 61 monitored-interface eth4-05 on
set vrrp interface eth2-01 monitored-circuit vrid 61 monitored-interface eth4-05 priority-delta 10
set vrrp interface eth2-02 monitored-circuit vrid 62 monitored-interface eth4-05 on
set vrrp interface eth2-02 monitored-circuit vrid 62 monitored-interface eth4-05 priority-delta 10
set vrrp interface eth2-03 monitored-circuit vrid 63 monitored-interface eth4-05 on
set vrrp interface eth2-03 monitored-circuit vrid 63 monitored-interface eth4-05 priority-delta 10
set vrrp interface eth2-04 monitored-circuit vrid 64 monitored-interface eth4-05 on
set vrrp interface eth2-04 monitored-circuit vrid 64 monitored-interface eth4-05 priority-delta 10
... ...

save config
exit
##Note end########################################################################


 

- ssh to the secondary firewall and open WebUI

- Configure the target interface with IP and subnet
- High Availability > Advanced VRRP > Virtual Routers > Add > Interface: eth4-05 > Virtual Router ID: 90 > Backup Addresses Add: 10.1.1.100 (VRRP address) > Monitored Interfaces Add: (all interfaces other than itself) > Add eth4-05 to all VRIDs: (all VRIDs other than itself)Monitored Interfaces > Save



##Note Start#######################################################################
 

(if you are not comfortable with GUI method, here is CLI method)

ssh to the secondary firewall > cli > run the following commands

------------------------------------------------------

set vrrp interface eth4-05 monitored-circuit vrid 90 on

set vrrp interface eth4-05 monitored-circuit vrid 90 priority 95

set vrrp interface eth4-05 monitored-circuit vrid 90 hello-interval 1

set vrrp interface eth4-05 monitored-circuit vrid 90 monitored-interface eth2-01 on

set vrrp interface eth4-05 monitored-circuit vrid 90 monitored-interface eth2-01 priority-delta 10

set vrrp interface eth4-05 monitored-circuit vrid 90 monitored-interface eth2-02 on

set vrrp interface eth4-05 monitored-circuit vrid 90 monitored-interface eth2-02 priority-delta 10

set vrrp interface eth4-05 monitored-circuit vrid 90 monitored-interface eth2-03 on

set vrrp interface eth4-05 monitored-circuit vrid 90 monitored-interface eth2-03 priority-delta 10

set vrrp interface eth4-05 monitored-circuit vrid 90 monitored-interface eth2-04 on

set vrrp interface eth4-05 monitored-circuit vrid 90 monitored-interface eth2-04 priority-delta 10

... ...

set vrrp interface eth4-05 monitored-circuit vrid 90 backup-address 10.1.1.100 on
 

set vrrp interface eth2-01 monitored-circuit vrid 61 monitored-interface eth4-05 on

set vrrp interface eth2-01 monitored-circuit vrid 61 monitored-interface eth4-05 priority-delta 10

set vrrp interface eth2-02 monitored-circuit vrid 62 monitored-interface eth4-05 on

set vrrp interface eth2-02 monitored-circuit vrid 62 monitored-interface eth4-05 priority-delta 10

set vrrp interface eth2-03 monitored-circuit vrid 63 monitored-interface eth4-05 on

set vrrp interface eth2-03 monitored-circuit vrid 63 monitored-interface eth4-05 priority-delta 10

set vrrp interface eth2-04 monitored-circuit vrid 64 monitored-interface eth4-05 on

set vrrp interface eth2-04 monitored-circuit vrid 64 monitored-interface eth4-05 priority-delta 10

... ...

save config
exit
##Note End###################################################################


Step 2. Update Dashboard


Open SmartConsole > GATEWAYS & SERVERS > Double click the cluster object > Network Management > Actions > New Interface > Name: eth4-05 > Network Type: Cluster > IPv4: 10.1.1.100 / 29 > Modify "Member IPs": 'hafw1' IPv4: 10.1.1.101/29; 'hafw2' IPv4: 10.1.1.102/29; > Modify "Topology": check "Override"; "This Network (Internal); "Specific: [Network_object]" > OK

NOTE: the [Network_object] consists of all interested traffic you are planning to route via the MPLS via the interface eth4-05!!


Step 3. Modify Rules

 

- Disable the current VPN rules

- Create regular rules (copy from previous VPN rules without going through VPN)


Step 4. Add static route on gateways


ssh to the primary gateway > clish > set static-route 10.0.0.0/8 nexthop gateway address 10.1.1.97 on > save config

ssh to the secondary gateway > clish > set static-route 10.0.0.0/8 nexthop gateway address 10.1.1.97 on > save config

 

NOTE: I used 10/8 network because the current VPN will evaluate the routes for the current VPNs, then the static route will take in effect. So even though I have overlapping 10. hosts configured in the current VPNs, it will not cause issues.


Step 5. Remove the previous VPN community