Alternative to Portshield for High Availability
NSA 3700 with Stateful High Availability. I wanted to portshield certain interfaces, but HA doesn't allow. Is there any good workaround for this. One of the reasons is as an easy way to transition to the 10G interfaces. For instance, if WAN is X1 and I upgrade to 10G connectivity I'd want an easy way to flip the WAN to 10G. If port x26 for instance is portshielded to it and I should be able to just plug the ISP into X26 instead of X1 and be off to the races. But no, HA doesn't allow.
Or, is there some way I don't know to easily reassign the port configuration (IP, DG, etc.) for WAN without manually changing a whole bunch of things in NAT & route policies?
Best Answers
-
preston All-Knowing Sage ✭✭✭✭
Hi xdmfanboy, the option is there to enable PortShielding in HA in the DIAG page, you need to enable it and whilst you are there also enable the Native Bridging in HA (probably more usefull in your scenario),
Even if the Portshielding option is enabled in the Diag it will error if you try and enable HA if PortShield is already enabled to get round this you set up HA then set up the PortShielding afterwards.
for your set up you could use the Native Bridge mode to acheive what you are trying to do and then you can have two interfaces set up 1 ethernet and one 10Gbps Fibre as as long you have the enabled the option to enable Native Bridging in HA it won't error if you already have Native Bridge Interfaces set up and then enable HA.
Hope all that made sense,
1 -
preston All-Knowing Sage ✭✭✭✭
Hi xdmfanboy, it it one of those things that because of possible loops being created it would lead to more support calls especially if things like STP etc.. aren't configured on switches, so unless it is really needed it is best to put in the diag page so only advanced users enable it as and when it is really needed,
in your scenario unless the interface has sub interfaces you can use the Native bridge option to enable an other Interface with the same settings so if you need to move the WAN to a Fibre interface it will just be a matter of connecting to that port when needed, we do this all the time when our customers ISP migrates them to fibre we set it all up beforehand.
1
Answers
I have done similar to what you have done on a similar NSA model.
It was a DC firewall, fairly critical.
Yes, portshield wasn't supported.
Interface change was done manually, after a review of the config.
I had to manually review NAT, Route policies after the change.
I raised a case with support the do a review prior and then made that change successfully.
Great! Do you know of any downsides to this, otherwise why do they hide it under Diag? Just did the conversion over night but luckily the switch to 10G connections wasn't on last night's agenda, so I have a little time.
Hi, can you tell me exactly where in the DIAG page is the option to enable portshield after turning on HA? I am running FW 7.1.2 and I dont see it.
Is this option available in SonicOS 6.5? I'd rather not adjust every NAT / VPN rule (over 300) if possible.