You can configure security VNF on Edges configured with High Availability to provide redundancy.

You can configure VNF with HA on Edges in the following scenarios:

  • In a standalone Edge, enable HA and VNF.
  • In Edges configured with HA mode, enable VNF.

The following interfaces are enabled and used between the Edge and VNF instance:

  • LAN interface to VNF
  • WAN interface to VNF
  • Management Interface – VNF communicates with its manager
  • VNF Sync Interface – Synchronizes information between VNFs deployed on Active and Standby Edges

The Edges have the HA roles as Active and Standby. The VNFs on each Edge run with Active-Active mode. The Active and Standby Edges learn the state of the VNF through SNMP. The SNMP poll is done periodically for every 1 second by the VNF daemon on the edges.

VNF is used in the Active-Active mode with user traffic forwarded to a VNF only from the associated Edge in Active mode. On the standby VM, where the Edge in the VM is standby, the VNF will have only traffic to the VNF Manager and data sync with the other VNF instance.

The following example shows configuring HA and VNF on a standalone Edge.

Prerequisites

Ensure that you have the following:

  • SD-WAN Orchestrator and activated SD-WAN Edge running software version 4.0.0 or later. For more information on the supported Edge platforms, refer to the Support Matrix in Security VNFs.
  • Configured Check Point Firewall VNF Management service. For more information, see Configure VNF Management Service.
    Note: VMware supports only Check Point Firewall VNF on Edges with HA.

Procedure

  1. In the Enterprise portal, click Configure > Edges.
  2. Either click the Device Icon next to an Edge, or click the link to an Edge and then click the Device tab.
  3. In the Device tab, navigate to the High Availability section and choose the Active Standby Pair.
  4. Navigate to the Security VNF section and click Edit.
  5. In the Edge VNF Configuration page, click Deploy.
  6. Configure the following in VM Configuration:
    1. VLAN – Choose a VLAN, to be used for the VNF management, from the drop-down list.
    2. VM-1 IP, VM-2 IP – Enter the IP addresses of the VM1 and VM2. Ensure that the IP addresses are in the subnet range of the chosen VLAN.
    3. VM-1 Hostname, VM-2 Hostname – Enter the names for the VM hosts.
    4. Deployment State – Choose one of the following options:
      • Image Downloaded and Powered On – This option powers up the VM after building the firewall VNF on the Edge. The traffic transits the VNF only when this option is chosen, which requires at least one VLAN or routed interface be configured for VNF insertion.
      • Image Downloaded and Powered Off – This option keeps the VM powered down after building the firewall VNF on the Edge. Do not select this option if you intend to send traffic through the VNF.
    5. Security VNF – Choose a pre-defined Check Point Firewall VNF Management service from the drop-down list. You can also click New VNF Service to create a new VNF management service. For more information, see Configure VNF Management Service.
    6. Click Update.

Results

The Security VNF section displays the configured details:

Wait till the Edge assumes the Active role and then connect the Standby Edge to the same interface of the Active Edge. The Standby Edge receives all the configuration details, including the VNF settings, from the Active Edge. For more information on HA configuration, see Configure High Availability (HA).

When the VNF is down or not responding in the Active Edge, the VNF in the Standby Edge takes over the active role.

Note: When you want to turn off the HA in an Edge configured with VNF, turn off the VNF first and then turn off the HA.

What to do next

If you want to redirect multiple traffic segments to the VNF, define mapping between Segments and service VLANs. See Define Mapping Segments with Service VLANs

You can insert the security VNF into both the VLAN as well as routed interface to redirect the traffic from the VLAN or the routed interface to the VNF. See Configure VLAN with VNF Insertion.