How to deploy SonicWall Gen7 NSv in Active/Standby High Availability Mode On Azure?

04/04/2024 63 People found this article helpful 478,530 Views

Description

SonicWall NSv series brings industry leading NGFW capabilities such as application intelligence and control, real-time monitoring, IPS, TLS/SSL decryption and inspection, advanced threat protection, VPN and network segmentation capabilities to protect your Azure environment. In the following scenario, it will be presented how to deploy a high availability environment using two Sonicwall NSv Firewalls as best practice.

Azure lets you add cloud capabilities to your existing network through its platform as a service (PaaS) model or entrust Microsoft with all your computing and network needs with Infrastructure as a Service (IaaS).

Product Matrix

NOTE: HA requires a minimum of three interfaces for High Availability Exchange Messages. Hence the VM size should be selected as Standard D3_V2 for GEN 7 template deployment. By default, the SonicWall custom Template already sets the value Standard_D3_v2.

For Azure sizing and pricing information, see:

Topology

NOTE: For HA interface use only /24 subnet. There is no such limitation for other interfaces like X0 or X1.

Resolution

SonicWall provides a custom Template with default values already set up, according to the best practices (It’s important to use the SonicWall customer template to avoid mistakes during the configuration). To install the custom Template, please, access the SonicWall GitHub Repository through the link below, following the steps:

In your browser, navigate to https://github.com/sonicwall-NSv/azure-template/tree/feature/HA, scroll-down and click on Deploy to Azure
Log in to the Azure Portal using valid credentials.
The following custom Template will show up. Now, it’s your turn. Go through the tabs and fill up the blank spaces, such as Resource Group (SonicWall recommends to create a NEW one), Storage Account, etc.

NOTE: Please store "SSH Password" and "Key pair" in a safe place as these will be required in the future when Console or SSH access to the firewall is needed.

NOTE: Please leave the Image Version tab as the default value “latest” to install the Gen 7 NSv Firewall.

The custom Template brings up two Virtual Machines (HA1 and HA2), with LAN, WAN, and HA Interfaces. Those are all necessary to complete the deployment successfully.

ENABLE IDENTITY OF BOTH VIRTUAL MACHINES (HA1 and HA2)

To enable Identity:

On the left Panel access the All Services | Virtual machine page.
Search for the Primary VM that you have created during deployment, on the left panel, select Identity and change the status to On (If it is already configured through Template, please leave it as default).
Repeat the steps 1 and 2 to the Secondary VM.

ROLE ASSIGNMENT

As of the next step, you will add Role Assignment to the Resource Group.

The role assignment “Contributor” should be set to the Resource Group, since it will give the ability to the firewalls exchange High Availability information. To do that, follow the steps below:

Navigate to Dashboard, on the search bar, search for the Resource Group that you have created during deployment, and on the left panel, select Access Control (IAM).
Click Add | Add role assignment.
Click Contributor.
In Contributor, select Managed Identity | check if you are in the right Subscription and drop-down Managed Identity. Select Virtual Machine and select both HA1 and H2 VMs to provide permissions (If it is already configured through Template, please leave it as default).

NOTE: It is recommended to have VNet and NSv Virtual Machines in the same Resource Group. If the VNet and NSv Virtual Machines are in separate Resource Groups then NSv Virtual Machines will also be required to be added as Contributor in the VNet Resource Group.

For the next step, we are going to check the NETWORKING tab.

On the left Panel, access All Services | Virtual machine page.
Search for the Primary VM (HA1) that you have created during deployment.
On the left menu, access the Networking tab.
Select ha-HA1-Interface-X1 | Network Interface ha-HA1-Interface-X1 | IP Configurations.

You will note that, the Template will automatically configure an additional Secondary Interface. It will act as a virtual IP address. That should be for WAN as well as LAN Interface. Therefore, these IPs will be necessary for the next part of the configuration

Repeat the previous steps to access HA1-interface-X0 and check the Secondary Interface.

Now you've checked that the Secondary Interface IP address is provided on both X1 and X0 interfaces, you will set those IPs on the Primary NSv Firewall as shown in the next steps.

NOTE: For the first login, it’s going to be necessary to Register the appliance.

Log in to GEN7 Primary NSv firewall using the Associated public IP

Once you’re logged in, register the appliance first. After the registration, follow the steps below.

Navigate to NETWORK | System | Interfaces, change the X0 configuration first, and then X1 as shown below. You will lose access after you change X1.

Before changing X1 Interface IP, take a screenshot of the current configuration, hence, Default Gateway and DNS Server 1 should remain the same. This will guarantee you won’t lose access to the primary firewall during the following steps.
After the changes, the Interfaces should look similar to the screenshot below:

Log in to the Secondary NSv firewall using the Associated public IP

Now, you will access the secondary firewall for the first time, which means that you should also register the appliance first before proceeding with the rest of the configuration.

Navigate to Network | System | Interfaces, and create the HA interface with custom zone "HA" using the below IP address schema details (SonicWall uses X2 Interface in the customer template).
- Security Type: Trusted
- Enable “Allow Interface Trust”
- It’s not necessary to enable Security Services.

The IP Address is the ha-HA2-Interface-X2 found on the Networking tab.

Now, you will Enable L3 mode option on the Secondary appliance.

Navigate to Device | High Availability | Settings | HA Interfaces, and select the Enable L3 Mode option on the secondary firewall.
Under HA Interfaces, fill up the primary Unit IP and Secondary Unit IP providing the HA IP X2 addresses of both firewalls HA1 and HA2.

Login back to the Gen7 Primary NSv Firewall

On the primary firewall, Login using the Floating Public IP address. To get the IP go to:

Resource Groups
Select the VM ha-HA1
On the left panel press Networking
Network Interface: ha-HA1-Interface-X1
On the left panel press IP configurations
Copy the Floating Public IP address and paste it into the browser

Configure High Availability to Active/Standby with L3 HA Link

Configure HA to Active/Passive with L3 HA link. To configure, browse to Manage | High Availability, and select Enable Stateful Synchronization option.
Click the HA interfaces tab and switch the HA Control link to L3 mode. There is no need for a gateway address if two HA Interfaces are in the same subnet. If two HA interfaces are in different subnets, there is a need for a proper gateway address and the default is X.X.X.1 on Azure.

Add monitoring IP to Primary NSv as Physical IP X0 and X1 Azure Interface to manage the secondary firewall.

Navigate to Device | High Availability | Status page to check whether the cluster is coming together. The secondary will reboot, and it may take a while to see the cluster up.

NOTE: It is recommended to be on the latest 7.1.1-7051 or a newer firmware version for using Multiple Floating IP addresses in Azure

Steps to add Additional Floating public IP

Resource Groups
Select the VM ha-HA1
On the left panel press Networking
Network Interface: ha-HA1-Interface-X1
On the left panel press IP configurations
Click Add to Add IP configuration, and specify the name and IP allocation method.