You can configure security VNF on Edges configured with High Availability to provide redundancy.

You can configure VNF with HA on Edges in the following scenarios:

  • In a standalone Edge, enable HA and VNF.
  • In Edges configured with HA mode, enable VNF.

The following interfaces are enabled and used between the Edge and VNF instance:

  • LAN interface to VNF
  • WAN interface to VNF
  • Management Interface – VNF communicates with its manager
  • VNF Sync Interface – Synchronizes information between VNFs deployed on Active and Standby Edges

The Edges have the HA roles as Active and Standby. The VNFs on each Edge run with Active-Active mode. The Active and Standby Edges learn the state of the VNF through SNMP. The SNMP poll is done periodically for every 1 second by the VNF daemon on the edges.

VNF is used in the Active-Active mode with user traffic forwarded to a VNF only from the associated Edge in Active mode. On the standby VM, where the Edge in the VM is standby, the VNF will have only traffic to the VNF Manager and data sync with the other VNF instance.

The following example shows configuring HA and VNF on a standalone Edge.

Prerequisites

Ensure that you have the following:

  • SASE Orchestrator and activated SD-WAN Edge running software version 4.0.0 or later. For more information on the supported Edge platforms, refer to the Support Matrix in Security Virtual Network Functions.
  • Configured Check Point Firewall VNF Management service. For more information, see Configure VNF Management Service.
    Note: VMware supports only Check Point Firewall VNF on Edges with HA.

Procedure

  1. In the SD-WAN Service of the Enterprise portal, click Configure > Edges.
  2. In the Edges page, click either the link to an Edge you want to configure or click the View link in the Device column of the Edge. The configuration options for the selected Edge are displayed in the Device tab.
  3. Scroll down to the High Availability section and from the Select Type options, choose the Active Standby Pair.
  4. Navigate to the Security VNF section and click + Configure Security VNF. The Configure Security VNF window appears.
  5. In the Configure Security VNF window, select the Deploy check box.
  6. Under VM Configuration, configure the following settings:
    1. VLAN – Choose a VLAN, to be used for the VNF management, from the drop-down list.
    2. VM-1 IP – Enter the IP address of the VM and ensure that the IP address is in the subnet range of the chosen VLAN.
    3. VM-1 Hostname – Enter a name for the VM host.
    4. Deployment State – Choose one of the following options:
      • Image Downloaded and Powered On – This option powers up the VM after building the firewall VNF on the Edge. The traffic transits the VNF only when this option is chosen, which requires at least one VLAN or routed interface be configured for VNF insertion.
      • Image Downloaded and Powered Off – This option keeps the VM powered down after building the firewall VNF on the Edge. Do not select this option if you intend to send traffic through the VNF.
  7. Under Security VNF, choose a pre-defined Check Point Firewall VNF Management service from the drop-down list. You can also click New VNF Service to create a new VNF management service. For more information, see Configure VNF Management Service.
  8. Click Update.

Results

The Security VNF section displays the configured details for the Check Point Firewall Security VNF.

Wait till the Edge assumes the Active role and then connect the Standby Edge to the same interface of the Active Edge. The Standby Edge receives all the configuration details, including the VNF settings, from the Active Edge. For more information on HA configuration, see Activate High Availability.

When the VNF is down or not responding in the Active Edge, the VNF in the Standby Edge takes over the active role.

Note: When you want to turn off the HA in an Edge configured with VNF, turn off the VNF first and then turn off the HA.

What to do next

If you want to redirect multiple traffic segments to the VNF, define mapping between Segments and service VLANs. See Define Mapping Segments with Service VLANs

You can insert the security VNF into both the VLAN as well as routed interface to redirect the traffic from the VLAN or the routed interface to the VNF. See Configure VLAN with VNF Insertion.