Configuring High Availability

Genians can be set up using two Appliances in a active/standby configuration, one acting as a primary while the other as a secondary. These two Appliances communicate with each other to synchronize data and will failover from one to the other in the event of a system failure.

  • Group – VRRP Group ID
  • Linkupdelay – Time to wait until interface is activated
  • No-Virtual-Mac – Does not convert MAC Address info to Virtual-MAC when switching to Master
  • Nopreempt – Device as Master takes precedence regardless of priority
  • Priority – Priority Value. Highest Value is Master
  • Timeout – Wait time for VRRP packet loss
  • Virtual-IP – Shared IP for devices and UI

Note

All-in-One (Policy Server + Network Sensor) is not supported.

Serial Connection to Server if SSH is not established

  • Protocol: Serial
  • Port: COM1
  • Baud Rate: 115200 (9600 for Mini-PC)
  • Data Bits: 8
  • Parity: None
  • Stop Bits: 1

How to configure Servers for High Availability

  1. Connect the prepared equipment to the network.
  2. Connect to each Server by connecting to Command Line Interface
  3. Run a show configuration to see current configuration. (Record Master Server device-id as this needs to be the same on both Policy Servers)
  4. Enter Global Config mode: config terminal
  5. On each Server enter the following configurations:

Master Policy Server

1. Interactive Wizard
2. Manual Configuration

Select installation type: 2

Enter administrator username (4-31 characters) [admin]: admin

# Password must contain at least one alphabet, number and special character
Enter administrator password (minimum 9 characters): *********
Re-enter Password:

Welcome to Genian ZTNA
Username: admin
Password:
The privileged EXEC mode password is the same as the console login password.
For security reasons please change your password.

Type ‘enable’ to access privileged EXEC mode for password change.
genian> enable
Password:

genian(config)# hostname PRIMARY
PRIMARY(config)# interface eth0 address [IP address] [Subnetmask]
PRIMARY(config)# interface eth0 gateway [Gateway IP]
PRIMARY(config)# ip default-gateway [Gateway IP]
PRIMARY(config)# ip name-server [DNS IP]
PRIMARY(config)# data-server username [username]
PRIMARY(config)# data-server enable
PRIMARY(config)# data-server password [password]
PRIMARY(config)# data-server access-list [Secondary DB IP,Admin IP]
PRIMARY(config)# data-server replica serverid 1
PRIMARY(config)# data-server replica enable
PRIMARY(config)# log-server enable
PRIMARY(config)# log-server cluster-peers [Primary Policy Server real IP,Secondary Log Server real IP]
PRIMARY(config)# log-server publish-port eth0
PRIMARY(config)# interface eth0 management-server enable
PRIMARY(config)# interface eth0 node-server enable
PRIMARY(config)# interface eth0 ha priority 200
PRIMARY(config)# interface eth0 ha group 20
PRIMARY(config)# interface eth0 ha linkupdelay 30
PRIMARY(config)# interface eth0 ha nopreempt enable
PRIMARY(config)# interface eth0 ha timeout 20
PRIMARY(config)# interface eth0 ha virtual-ip [Virtual IP]

PRIMARY(config)# show configuration
cli-pass change interval 0D
cli-pass history num 0
cli-pass minimum age 0D

data-server enable
data-server password ******
data-server replica enable
data-server replica serverid 1
data-server username root

device-id xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx (*Use same device-id for both Policy Servers*)

hostname PRIMARY

interface eth0 address [IP address] [Subnetmask]
interface eth0 gateway [Gateway IP]
interface eth0 ha group 20
interface eth0 ha linkupdelay 30
interface eth0 ha nopreempt enable
interface eth0 ha priority 200
interface eth0 ha timeout 20
interface eth0 ha virtual-ip [Virtual IP]
interface eth0 management-server enable
interface eth0 node-server enable

ip default-gateway [Gateway IP]
ip name-server [DNS IP]

log-server enable
log-server cluster-name GENIAN
log-server cluster-peers [Primary Policy Server real IP,Secondary Log Server real IP]
log-server publish-port eth0

Secondary Policy Server

1. Interactive Wizard
2. Manual Configuration

Select installation type: 2

Enter administrator username (4-31 characters) [admin]: [Admin ID]
# Password must contain at least one alphabet, number and special character
Enter administrator password (minimum 9 characters):
Re-enter Password:

Welcome to Genian ZTNA
Username: [Admin ID]
Password:
The privileged EXEC mode password is the same as the console login password.
For security reasons please change your password.

Type ‘enable’ to access privileged EXEC mode for password change.
genian> en
Password:
genian# configure terminal

genian(config)# hostname SECONDARY
SECONDARY(config)# device-id xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx (From PRIMARY server)
SECONDARY(config)# interface eth0 address [IP address] [Subnetmask]
SECONDARY(config)# interface eth0 gateway [Gateway]
SECONDARY(config)# ip default-gateway [Gateway]
SECONDARY(config)# ip name-server [DNS]
SECONDARY(config)# data-server username [username]
SECONDARY(config)# data-server enable
SECONDARY(config)# data-server password [password]
SECONDARY(config)# data-server access-list [Primary DB IP,Admin IP]
SECONDARY(config)# data-server replica serverid 2
SECONDARY(config)# data-server replica enable
SECONDARY(config)# data-server replica masterhost [PRIMARY DB IP]
SECONDARY(config)# data-server replica username [PRIMARY DB username]
SECONDARY(config)# data-server replica password [PRIMARY DB password]
SECONDARY(config)# log-server enable
SECONDARY(config)# log-server cluster-peers [Secondary Policy Server real IP,Primary Log Server real IP]
SECONDARY(config)# log-server publish-port eth0
SECONDARY(config)# interface eth0 management-server enable
SECONDARY(config)# interface eth0 node-server enable
SECONDARY(config)# interface eth0 ha priority 100
SECONDARY(config)# interface eth0 ha group 20
SECONDARY(config)# interface eth0 ha linkupdelay 30
SECONDARY(config)# interface eth0 ha nopreempt enable
SECONDARY(config)# interface eth0 ha timeout 20
SECONDARY(config)# interface eth0 ha virtual-ip [Virtual IP]

SECONDARY(config)# show configuration
cli-pass change interval 0D
cli-pass history num 0
cli-pass minimum age 0D


data-server enable
data-server access-list [Admin IP]
data-server password ******
data-server replica enable
data-server replica masterhost [PRIMARY DB IP]
data-server replica password ******
data-server replica serverid 2
data-server replica username [username]
data-server username [username]

device-id xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

hostname SECONDARY

interface eth0 address [IP address] [Subnetmask]
interface eth0 gateway [Gateway]
interface eth0 ha group 20
interface eth0 ha linkupdelay 30
interface eth0 ha nopreempt enable
interface eth0 ha priority 100
interface eth0 ha timeout 20
interface eth0 ha virtual-ip [Virtual IP]
interface eth0 management-server enable
interface eth0 node-server enable

ip default-gateway [Gateway]

log-server enable
log-server cluster-name [Cluster name]
log-server cluster-peers [Secondary Policy Server real IP,Primary Log Server real IPP]
log-server publish-port eth0

Primary Sensor

device-id xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

interface eth0 vlan 10,11,12
interface eth0.10 address [IP address] [Subnetmask]
interface eth0.10 gateway [Gateway]
interface eth0.10 ha group 100
interface eth0.10 ha priority 200
interface eth0.11 address [IP address] [Subnetmask]
interface eth0.11 gateway [Gateway]
interface eth0.12 address [IP address] [Subnetmask]
interface eth0.12 gateway [Gateway]

ip default-gateway [Gateway]
ip name-server [DNS]

node-server ip [Policy Server IP]

Secondary Sensor

device-id xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

interface eth0 vlan 10,11,12
interface eth0.10 address [IP address] [Subnetmask]
interface eth0.10 gateway [Gateway]
interface eth0.10 ha group 100
interface eth0.10 ha priority 100
interface eth0.11 address [IP address] [Subnetmask]
interface eth0.11 gateway [Gateway]
interface eth0.12 address [IP address] [Subnetmask]
interface eth0.12 gateway [Gateway]

ip default-gateway [Gateway IP]
ip name-server [DNS IP]

node-server ip [Policy server IP]

Attention

Network Sensor HA is available in the multi VLAN environment.
And the failover condition is as below.
- When the Network Sensor is down.
- When the link or interface between Network Sensor and Switch is down.
- If HA is enabled on all VLAN interfaces, failover proceeds if even one interface is down.

How to test HA

——————PRIMARY———————
PRIMARY# show ha Status

Status: MASTER
Priority: 200
Group: 50
LinkupDelay: 30
Timeout: 10
Preempt: 0
VirtualIP: [Virtual IP]

——————SECONDARY———————
SECONDARY# show ha Status

Status: SLAVE
Priority: 100
Group: 50
LinkupDelay: 30
Timeout: 10
Preempt: 0
VirtualIP: [Virtual IP]

How to test DB replication

——————PRIMARY—————-
PRIMARY(config)# show dataserver replicastatus
Replication health is good. (Confirm left message is displayed)
==================== Primary Replication Status ====================
Host                     : [Master DB IP displayed]
File                     : mysqld.000009
**Position                 : 123456 (The log position value between the two servers must increase equally.)

==================== Secondary Replication Status ====================
Host                     : [Slave DB IP displayed]
Slave_IO_Running         : Yes
Slave_IO_State           : Waiting for master to send event
Slave_SQL_Running        : Yes
Slave_SQL_Running_State  : Slave has read all relay log; waiting for the slave I/O thread to update it
Master_Log_File          : mysqld.000009
Read_Master_Log_Pos      : 123456 (The log position value between the two servers must increase equally.)
Relay_Master_Log_File    : mysqld.000009
Exec_Master_Log_Pos      : 123456
Last_Errno               : 0
Last_Error               :
Last_IO_Errno            : 0
Last_IO_Error            :
Last_SQL_Errno           : 0
Last_SQL_Error           :
Relay_Log_File           : mysqld-relay-bin.000026
Relay_Log_Pos            : 123456
 ——————SECONDARY—————–
SECONDARY# show dataserver replicastatus
Replication health is good.(Confirm left message is displayed)

==================== Primary Replication Status ====================
Host                     : [Master DB IP displayed]
File                     : mysqld.000009 (Check Primary Replication Files)
Position                 : 123456 (Check Primary Replication Position)

==================== Secondary Replication Status ====================
Host                     : [Slave DB IP displayed]
Slave_IO_Running         : Yes (Must be marked as YES)
Slave_IO_State           : Waiting for master to send event
Slave_SQL_Running        : Yes (Must be marked as YES)
Slave_SQL_Running_State  : Slave has read all relay log; waiting for the slave I/O thread to update it
Master_Log_File          : mysqld.000009 (Verify that it is the same as the primary replication file)
Read_Master_Log_Pos      : 123456
Relay_Master_Log_File    : mysqld.000009
Exec_Master_Log_Pos      : 123456
Last_Errno               : 0
Last_Error               :
Last_IO_Errno            : 0
Last_IO_Error            :
Last_SQL_Errno           : 0
Last_SQL_Error           :
Relay_Log_File           : mysqld-relay-bin.000026
Relay_Log_Pos            : 123456

Attention

Please run the Database Replication confirmation command at Primary and Secondary respectively.

Bonding Configuration

Bonding is a technology that logically combines multiple physical interfaces into one logical interface. Bonding is used to increase service availability in case that one physical interface fails.

Bonding settings

Policy Server & Network Sensor

genians(config)#interface bond0 slave eth0,eth1
genians(config)#interface bond0 address [PolicyServer IP] [Subnetmask]
genians(config)#interface bond0 gateway [gateway IP]
genians(config)#bonding parameters mode=1

#Bonding parameter#
#mode=0: for balance-rr
#mode=1: for active-backup (recommended)

Warning

  • No settings should exist on the interface prior to the Bonding setting.
  • Equipment reboot is required to apply the Bonding parameters setting.
  • In some environments (virtual appliances) using Bonded interfaces, the function of other non-bonded interfaces may be impaired.

Checking Bonding Interface Status

Bonding interfaces have statuses in the form of Active/Active, Active/Backup. Below is an example of how to check the current status, and an example output:

Genians$ cat /proc/net/bonding/bond0
Ethernet Channel Bonding Driver: v3.7.1 (April 27, 2011)

Bonding Mode: load balancing (round-robin)
MII Status: up
MII Polling Interval (ms): 100
Up Delay (ms): 0
Down Delay (ms): 0

Slave Interface: eth1
MII Status: up
Speed: 1000 Mbps
Duplex: full
Link Failure Count: 0
Permanent HW addr: 00:0c:29:21:be:a9
Slave queue ID: 0

Slave Interface: eth2
MII Status: up
Speed: 1000 Mbps
Duplex: full
Link Failure Count: 0
Permanent HW addr: 00:0c:29:21:be:b3
Slave queue ID: 0