High Availability: sync removing HA firewall rules

Started by FlangeMonkey, April 22, 2025, 01:16:31 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
April 22, 2025, 01:16:31 PM
Hello,

I have set up a secondary firewall, the NIC configuration is different, but I don't believe that is a problem anymore.  I do not have CARP configured yet.  For HA, I have All Services selected, and all networks configured equally, for example HA is called HA and LAN is called LAN on both firewalls.

After sync, everything looks good, except for HA firewall rules.  The single basic HA rule is being removed on the secondary firewall after sync. So I can no longer perform another sync until I add the rule back to the secondary firewall.

Any idea what is causing the behaviour?

Thanks

April 22, 2025, 01:33:33 PM #1
I set the rules on the primary with these settings:
source: SYNC subnet
destination: This firewall

This fits for the secondary as well and hence can be synced.
April 22, 2025, 01:43:48 PM #2
Quote from: viragomann on April 22, 2025, 01:33:33 PMI set the rules on the primary with these settings:
source: SYNC subnet
destination: This firewall

This fits for the secondary as well and hence can be synced.

Thanks for the reply,

I'm not sure it I was clear enough, the rule itself is being removed by the sync process.

My rule is more open atm, Source: HA Net, Destination: Any.
April 22, 2025, 02:02:47 PM #3
Quote from: FlangeMonkey on April 22, 2025, 01:43:48 PMthe rule itself is being removed by the sync process.
The rule is removed from the secondary node, because it's not present on the primary, who syncs its rule to it.

But I created the rule in the primary.
April 22, 2025, 11:08:19 PM #4
Quote from: viragomann on April 22, 2025, 02:02:47 PM
Quote from: FlangeMonkey on April 22, 2025, 01:43:48 PMthe rule itself is being removed by the sync process.
The rule is removed from the secondary node, because it's not present on the primary, who syncs its rule to it.

But I created the rule in the primary.

Ok, that's down to the language I used and not being clear enough, sorry from my dyslexia.  I have the rule created on the Primary HA Interface, it is not syncing to the secondary and furthermore, any rules created on the secondary HA interface are being removed.

I hope that clears up the confusion.
April 22, 2025, 11:16:11 PM #5
Quote from: FlangeMonkey on April 22, 2025, 11:08:19 PMI have the rule created on the Primary HA Interface, it is not syncing to the secondary
At first you have to create the rule on the primary as suggested above.
Then add a rule on the secondary, to allow syncing.
Then the rules from the primary should be synced over and also allow further syncs.

Did you try it this way?
April 23, 2025, 08:33:32 AM #6
The internal network identifier (optXX) must be the same on your devices!
April 23, 2025, 05:57:38 PM #7
Quote from: userbenutzer on April 23, 2025, 08:33:32 AMThe internal network identifier (optXX) must be the same on your devices!

Thanks userbenutzer, that was the issue.
Print
Go Up Pages1
User actions