Template For Firewall Failover

Project Name (Take 64): Project Nam
RFC # Brief Description of change Implementation Date
Quarterly failover on FWWYNTUSGR01

209.12.76.75 and FWWYNTUSGR02
CHG0037367 1/24/2017
209.12.76.78
Key Contacts for this change:

Role Name Title
Communications
Coordinator Maheedhar Immadabathuni Security Engineer
Testing Coordinator Maheedhar Immadabathuni Security Engineer
Tester(s) HTCS Firewall HTCS
Sec Ops Document Review Sign off

Role Name Title
Creator Bhupender Singh Security Engineer
Peer reviewed by Arthisha Sampally Security Engineer
Manager Review Cheryl Lanzer Manager
Document Revision Control

Date Revision Name
1/31/2016 Version Draft 1 Chris McKay
Name (Take 64): Project Name (Quarterly Maintenance Scheduled Failover)
Overview
Start Time (ET) End Time (ET) RFC Status
1:00 PM 1:15 PM RFC Create
ontacts for this change:

E-mail address Office Phone Cell Phone
maheedhar.immadabathuni@wyn.com 973-753-7574 973-727-6814

maheedhar.immadabathuni@wyn.com 973-753-7574 973-727-6814
HTCSFirewall@wyn.com 866-556-6784
Document Review Sign off

E-mail address Date of review Initials
Bhupender.singh@wyn.com 1/17/2017 BS
Arthisha.Sampally@WYN.COM 1/18/2017 AS
cheryl.lanzer@wyn.com 1/19/2017 CL
vision Control
Title E-mail address
Security Engineer christopher.mckay@wyn.com
er)
Onsite Resource
Outage (Yes/No) Vendor SR #'s Site Name / Site code (Y/N)
Yes N/A WWC No

Project Name (Quarterly Maintenance Scheduled Fa
Planning Checklist
Item Task Description Status/Result
Setup meeting with Business and/or CSIT to discuss the following:

(a) Project,
(b) Implementation date
1 Completed
(c) Arrange for on-site contact
(d) Single Point of contact for testing coordination
(e) Testing plan and identify Businesss testing resources
Identify individuals in BU that this was discussed with (add names in notes
2 Completed
section)
Single Point of contact for testing coordination identified (add name in
3 Completed
notes field and overview tab)
4 Document detailed testing plan Completed
Identify testing resources from business teams (add testers names in
5 Completed
overview tab)
6 Confirm onsite resource for implementation date (add to overview tab) Completed
Fill out Implementation plan and provide supporting documentation in the

7 appropriate tabs Completed
Identify devices that are directly involved in this change (update

8 Completed
"Supporting Docs - Hardware" Tab)
Identify devices that are indirectly involved in this change - ie devices
9 upstream and downstream from the devices that are directly being Completed
changed (update "Supporting Docs - Hardware" Tab)
Create Diagrams for pre and post cut (if applicable) - put diagrams in
10 Completed
"Supporting Docs - Diagrams"
enance Scheduled Failover)
hecklist
Est. Completion Notes Initials

Date
Brian crawford
BS
BS
BS
BS
BS
BS
BS
BS
BS
Project Name (Quarterly Maintenance Scheduled Fai
Pre Implementation - Technical Tasks
Item Task Description Status
1
Download Hotfix file "Check_Point_R76.linux.tar" to
Completed
bastion host, per CheckPoint Support instructions
2 "Implementation Plan" tab has been filled out and

reviewed Completed
3 "Rollback Plan" tab has been filled out and reviewed
Completed
4 Document "Supporting Docs - Checkpoint" tab
Completed
5 Create spreadsheet with complete schedule for all
firewalls to be upgraded Completed
6 FTP Take 64 hotfix to firewalls and extract the files
(see Supporting Docs - FTP Hotfix tab) Completed
7 Confirm there are recent backups of the following
firewalls in BackBox:
FWWYNTUSGR01 209.12.76.75 FWWYNTUSGR02 Completed
209.12.76.78
8
Populate tab "Supporting Docs - Affected IPs" with
list of IP Ranges/Subnets under each cluster, as well Completed
as affected business unit
9 Confirm content of /etc./host file on each node, and
whether file is Immutable or not Completed
rly Maintenance Scheduled Failover)
entation - Technical Tasks
Notes Initials Peer Review Manager Review
CM
BS
BS
BS
BS
BS
BS
BS
See Hosts File tab BS

Project Name (
Implementation Start = Noone

Status Task Category Task Number
Pre Implementation
1
Communication
Communication 2
Implementation
Implementation 3
Implementation 4
5
Communication 6
7
Communication
8
Implementation 9
Implementation 10
Implementation 11
Implementation 12
Implementation 13
Implementation 14
Implementation 15
Implementation 16
Implementation 17
TESTING 18
Implementation 19
Implementation 20
Implementation 21
Implementation 22
Implementation 23
Implementation 24
Implementation 25
Implementation 26
Implementation 27
TESTING 28
29
30
31
32
33
Communication
Communication 34
Completion 35
Project Name (Quarterly Maintenance Scheduled Failover)
Implementation Plan
Task
Pre-Implementation Steps
Notify WYN-Change of that RFC will begin and which Firewalls will be affected. Include Sec
Ops, SDRM (Mangers listed in Overview), Gian Watt and testers.
Advise NOC to ignore Indeni Alarms for firewallS affected
Implementation
Join bridge with testers
Log into the 10.230.100.103 bastion host
Perform first phase of testing to establish a baseline for expected results
Email all testers to commence testing, and to email a pass/fail via reply email
Email all parties with interest (WYN-Changes, Sec Ops, SDRM, Gian Watt and testers) that
testing was successful, and we are about to fail over to the standby member of the TUSGR
firewall cluster.
Determine active node of Saint John and reboot the standby node in preparation for
failover
ssh to 01 node of the cluster (FWWYNTUSGR01 209.12.76.75) using the credentials for WHG
firewalls in the pw vault
expert
cphaprob stat
determine which firewall is active and which is on standby
ssh to STANDBY firewall, using the credentials for WHG firewalls in the pw vault
cat /etc/hosts to confirm the firewall IP is listed to resolve to the firewall host name
lsattr /etc/hosts (to confirm that the Immutable attribute ("i") is set on the hosts file, to
prevent the OS from overwriting hosts with a default file upon reboot)
If the Immutable ("i") flag is not on the etc/hosts file, set it with the following command:
chattr +ia /etc/hosts
reboot
Perform verification per steps outlined in Testing Plan to confirm secondary node is up, can
be reached by ssh and is logging
Failing over TUSGR FWWYNTUSGR_CL Cluster (FWWYNTUSGR01 209.12.76.75 |

FWWYNTUSGR02 209.12.76.78)
ssh to active firewall, using the credentials for WHG firewalls in the pw vault
expert
clusterXL_admin down
clusterXL_admin up
ssh to NEW STANDBY firewall (formerly the primary), using the credentials for WHG firewalls
in the pw vault
cat /etc/hosts to confirm the firewall IP is listed to resolve to the firewall host name
lsattr /etc/hosts (to confirm that the Immutable attribute ("i") is set on the hosts file, to
prevent the OS from overwriting hosts with a default file upon reboot)
If the Immutable ("i") flag is not on the etc/hosts file, set it with the following command:
chattr +ia /etc/hosts
reboot
Perform verification per steps outlined in Testing Plan to confirm secondary node is up, can
be reached by ssh and is logging
Verify no unexpected Orion/ Indeni alarms (per testing plan)
Verify SNMP is working as expected (per testing plan)
Confirm NTP is working as expected (per testing plan)
Ensuring logging is setup and working (per testing plan)
Email all parties with interest (WYN-Changes, Sec Ops, SDRM, Gian Watt and testers) that
testing was successful, and that the RFC is complete.
Post Implementation tasks
Advise NOC to ignore Indeni Alarms for firewallS affected
Complete decision task in RFC
nce Scheduled Failover)
Expected Completion Time Resource

(Eastern Time)
0:00:00
0:10:00
0:10:00
0:45:00
0:50:00
1:05:00
1:20:00
1:05:00
2:00:00
2:00:00
2:00:00
Notes
Project Name (Quarterly
Status Task Category Task Number
Communication 1
Rollback 1
Rollback 2
Rollback 3
Rollback 4
Rollback 5
Rollback 6
Rollback 7
Rollback 8
Testing 9
Communication 10
Project Name (Quarterly Maintenance Scheduled Failover) : Rollback plan
Rollback Plan
Task
Send out the Communication (WYN-Changes, Sec Ops, SDRM, Gian Watt and testers) that
we are rolling back the change on current firewall.
Failing over TUSGR FWWYNTUSGR_CL Cluster (FWWYNTUSGR01 209.12.76.75 | FWWYNTUSGR02
209.12.76.78)
ssh to 01 node of the cluster (FWWYNTUSGR01 209.12.76.75) using the credentials for WHG
firewalls in the pw vault
expert
cphaprob stat
determine which firewall is active and which is on standby
ssh to active firewall, using the credentials for WHG firewalls in the pw vault
expert
clusterXL_admin down
clusterXL_admin up
Perform testing plan to ensure firewall cluster is operational again.
Send out communication (WYN-Changes, Sec Ops, SDRM, Gian Watt and testers) indicating that the
change is rolled back. Have testers confirm via email that testing is successful
d Failover) : Rollback plan
Expected Completion Time (Eastern

Time) Resource Notes
1:00 AM CM
Testing Plan [ Engin
Application or Service to be
Task # Date of test Time of test
tested
EIT INFO SEC Test plan

1 Application/Service #1
2 Credit Card Authorization
3
12 Opera
13
18 Printing Windows
Printing Opera
OWA/Outlook
Purge DNS records (IPConfig /flushdns front desk works
19
WHG Test Plan - Upgrade Firewalls to R76 Code
HTCS Steps
HTCS will join the call to assist the property to test functionality. The folk’s onsite will
not assist the property to make sure that all functionality is working. HTCS will assist to
help test a number of functions and answer any questions or problems that may pop
up. The list below can be expanded as we complete more of these changes. HTCS
needs to make sure the site has enough time to print all necessary reports.
Prior to Equipment change

HTCS will confirm existing problems if any with the site prior to change.
HTCS will have the site print all Emergency Reports and make sure the site understands that they could be dow
HTCS techs will assist with anything that needs to be tested or communicated to the property if needed.
HTCS will join meeting place bridge
Tests
· RDP to the Site
· Opera Working
· Interfaces - OIFC
· Printing – Windows and Opera
· Bomgar (FD, BO, Server)
· Authorize and Process Credit Cards
· Scan to email
· Websites
o Wyndham.com
o MyPortal
o Webinar
o Brand websites
· Network Shares
Testing Plan [ Engineer Test and WHG Test Plans]
URL or IP address to be tested IP address of client or source where
Tester Name
(i.e. "destination IP") tests will be run from
10.x.x.23 Front Desk 10.x.x.101, 102, 103
10.x.x.23 Front Desk 10.x.x.101, 102, 103

10.x.x.23 Remote Desk HTCS Jump Box
Front Desk 10.x.x.101, 102, 103

10.x.x.23 Front Desk 10.x.x.101, 102, 103
Front Desk 10.x.x.101, 102, 103
PConfig /flushdns front desk workstations) –optional not necessary.
nderstands that they could be down for 3 hours downtime.

d to the property if needed.
Testing
Testing steps
Results
Firewall Location Affected IP Range/Subnet BU
10.14.216.0/26,10.14.216.96/27,10.14.216.128/25,
FWWYNTUSGR_CL Cluster 10.14.216.64/27,10.14.238.128/27 WHG
exit
FWWYNTUSGR01> show configuration
#
# Configuration of FWWYNTUSGR01
# Language version: 11.0v1
#
# Exported by admin on Tue Jan 17 07:59:33 2017
#
set expert-password-hash $1$OYBUXBK_$eRVG2Eekg2jKdgCnvseva.
set password-controls min-password-length 7
set password-controls complexity 2
set password-controls palindrome-check true
set password-controls history-checking true
set password-controls history-length 10
set password-controls password-expiration never
set password-controls expiration-warning-days 7
set password-controls expiration-lockout-days never
set password-controls force-change-when no
set password-controls deny-on-nonuse enable true
set password-controls deny-on-nonuse allowed-days 90
set password-controls deny-on-fail enable false
set password-controls deny-on-fail failures-allowed 5
set password-controls deny-on-fail allow-after 900
set aaa tacacs-servers state off
set aaa radius-servers super-user-uid 96
set router-id 10.14.216.1
set max-path-splits 8
set tracefile maxnum 10
set tracefile size 1
add allowed-client host any-host
set inactivity-timeout 10
set ipv6-state off
set net-access telnet off
set timezone America / Phoenix
add dhcp server subnet 10.14.216.64 netmask 27
set dhcp server subnet 10.14.216.64 default-lease 86400
set dhcp server subnet 10.14.216.64 max-lease 86400
set dhcp server subnet 10.14.216.64 dns 10.14.216.6, 10.85.15.133
set dhcp server subnet 10.14.216.64 router 10.14.216.65
add dhcp server subnet 10.14.216.64 include-ip-pool start 10.14.216.66 end 10.14.216.88
set dhcp server subnet 10.14.216.64 enable
set dhcp server enable
set arp table cache-size 4096
set arp table validity-timeout 60
set hostname FWWYNTUSGR01
set domainname wyndham.com
set snmp agent on
set snmp agent-version any
set snmp community Wpdcadvmgr read-only
add snmp traps receiver 10.230.131.48 community Wpdcadvmgr version v2
set snmp traps trap authorizationError disable
set snmp traps trap coldStart disable
set snmp traps trap configurationChange disable
set snmp traps trap configurationSave disable
set snmp traps trap fanFailure disable
set snmp traps trap highVoltage disable
set snmp traps trap linkUpLinkDown disable
set snmp traps trap lowDiskSpace disable
set snmp traps trap lowVoltage disable
set snmp traps trap overTemperature disable
set snmp traps trap powerSupplyFailure disable
set snmp traps trap raidVolumeState disable
set snmp contact "Call Network Security On call - 602-335-2188"
set user admin shell /etc/cli.sh
set user admin password-hash $1$Qbtbl062$qvsFLYX5bg3zXJKvLR0wa0
add user backbox uid 0 homedir /home/backbox
set user backbox gid 100 shell /bin/bash
set user backbox password-hash $1$CudoLjKf$aTrfVpbIAM3RP7l.7ii440
add user indeni uid 0 homedir /home/indeni
set user indeni gid 100 shell /bin/bash
set user indeni password-hash $1$MBcQDdB9$swh.qp1evPPRoDAHkhzA10
set user monitor shell /etc/cli.sh
set user monitor password-hash *
add rba user backbox roles adminRole
add rba user indeni roles adminRole
set format date dd-mmm-yyyy
set format time 24-hour
set format netmask Dotted
set core-dump enable
set core-dump total 1000
set core-dump per_process 2
set clienv debug 0
set clienv echo-cmd off
set clienv output pretty
set clienv prompt "%M"
set clienv rows 24
set clienv syntax-check off
set interface eth2 state on
add interface eth2 vlan 10
set interface Mgmt link-speed 100M/full
set interface Mgmt state on
set interface Mgmt auto-negotiation off
set interface Mgmt mtu 1500
set interface Mgmt ipv4-address 209.12.76.75 mask-length 29
set interface eth1 link-speed 1000M/full
set interface eth1 auto-negotiation on
set interface eth1 mtu 1500
set interface eth1 ipv4-address 10.14.245.226 mask-length 27
set interface eth2.10 state on
set interface eth2.10 ipv4-address 10.14.216.2 mask-length 26
set interface eth3 state off
set interface eth5 comments "SYNC RFC R225095"
set interface lo state on
set interface lo ipv4-address 127.0.0.1 mask-length 8
set ospf area backbone on
set static-route default nexthop gateway address 209.12.76.73 priority 1 on
set ipv6 ospf3 area backbone on
set rip update-interval default
set rip expire-interval default
set rip auto-summary on
set dns suffix wyndham.com
set dns primary 10.14.216.6
set dns secondary 216.136.95.2
set dns tertiary 64.132.94.250
set web session-timeout 10
set web ssl-port 443
set web daemon-enable on
set ntp active on
set ntp server primary 10.230.135.253 version 1
set ntp server secondary 10.230.135.254 version 1
set static-route 10.87.251.0/24 nexthop gateway address 10.87.247.49 priority 1 on
set hostname fwstjwhgcor01
set ntp active on
set user admin password-hash $1$4Fp8q/BY$68iFPSS6PhomIqkCoKVYo.
set user backbox password-hash $1$5TkNEqd.$nqsuPShB.5GcP7ZWeI7Mp0
add user ctamero uid 0 homedir /home/ctamero
set user ctamero gid 100 shell /etc/cli.sh
set user ctamero password-hash $1$UsH0J.Or$b6VHOI3BwvtmlRmEGVcBC1
set user indeni password-hash $1$i85J8ZwC$s7llIQDFAD1UxWSWBm8JX0
add rba user ctamero roles adminRole
FWWYNTUSGR01>
FWWYNTUSGR02> show configuration
#
# Configuration of FWWYNTUSGR02
# Language version: 11.0v1
#
# Exported by admin on Tue Jan 17 08:18:08 2017
set inactivity-timeout 10
set clienv debug 0
set clienv echo-cmd off
set clienv output pretty
set clienv prompt "%M"
set clienv rows 24
set clienv syntax-check off
set password-controls min-password-length 7
set password-controls complexity 2
set password-controls palindrome-check true
set password-controls history-checking
set password-controls history-length 10
set password-controls password-expiration never
set password-controls expiration-warning-days 7
set password-controls expiration-lockout-days never
set password-controls force-change-when no
set password-controls deny-on-nonuse enable true
set password-controls deny-on-nonuse allowed-days 90
set password-controls deny-on-fail enable false
set password-controls deny-on-fail failures-allowed 5
set password-controls deny-on-fail allow-after 900
set dhcp server enable
set domainname wyndham.com
set aaa radius-servers super-user-uid 96
set timezone America / Phoenix
set dns suffix wyndham.com
set dns tertiary 64.132.94.250
set ipv6-state off
set web session-timeout 10
set web ssl-port 443
set web daemon-enable on
set hostname FWWYNTUSGR02
set arp table cache-size 4096
set arp table validity-timeout 60
set user admin shell /bin/bash
set user admin password-hash $1$1fNvulms$X6KlcSXRnTYUXTpXPUmEQ/
set user backbox password-hash $1$LMUnYYwy$Pcen3OirDES3AdzWINCfo0
set user indeni password-hash $1$Am7P.hvW$UKmrbBrGMFXu0PfywH3aK.
set interface Mgmt link-speed 100M/full
set interface Mgmt state on
set interface Mgmt auto-negotiation off
set interface Mgmt mtu 1500
set interface Mgmt ipv4-address 209.12.76.78 mask-length 29
set interface eth4 auto-negotiation off
set interface eth5 comments "SYNC - RFC R225095"
set interface lo state on
set interface lo ipv4-address 127.0.0.1 mask-length 8
set format date dd-mmm-yyyy
set format time 24-hour
set format netmask Dotted
set snmp agent on
set snmp agent-version any
set snmp community Wpdcadvmgr read-only
set snmp traps trap authorizationError disable
set snmp traps trap coldStart disable
set snmp traps trap configurationChange disable
set snmp traps trap configurationSave disable
set snmp traps trap fanFailure disable
set snmp traps trap highVoltage disable
set expert-password-hash $1$B_BBBT]N$j1HfFMNlQ3PxQ4BGodu061
set ntp active on
set static-route default nexthop gateway address 192.168.1.254 on
set static-route default nexthop gateway address 209.12.76.73 priority 1 on
FWWYNTUSGR02>
set user admin password-hash $1$RQ82SDsd$o6FWv8/usS1yXMpT3SBNw.
set user backbox password-hash $1$tRA8UdcW$ry5RvU4s/XScPT5R.Zvso0
set user ctamero password-hash $1$7TAMyc6S$emkVtE1s8Xz3Tbjx6WtxC1
set user indeni password-hash $1$EfMhD/I8$DFlRDqlDKcXqWLj1xu3NI0
set lcd screensaver mode model
set lcd screensaver timeout 30
set hostname fwstjwhgcor02
fwstjwhgcor02>
FWWYNTUSGR01> cphaprob stat
Cluster Mode: High Availability (Active Up) with IGMP Membership
Number Unique Address Assigned Load State
1 (local) 10.14.245.226 100% Active

2 10.14.245.227 0% Standby
[Expert@FWWYNTUSGR01:0]# cat /etc/hosts
# This file was AUTOMATICALLY GENERATED
# Generated by /bin/hosts_xlate on Tue Mar 15 21:57:20 2016
#
# DO NOT EDIT
#
209.12.76.75 fwstjwhgcor01
127.0.0.1 localhost
::1 localhost
[Expert@fwstjwhgcor01:0]# lsattr /etc/hosts
----i-------- /etc/hosts
[Expert@fwstjwhgcor01:0]#
[Expert@FWWYNTUSGR02:0]# cat /etc/hosts
# This file was AUTOMATICALLY GENERATED
# Generated by /bin/hosts_xlate on Tue Mar 15 21:27:18 2016
#
# DO NOT EDIT
#
127.0.0.1 localhost
209.12.76.78 fwstjwhgcor02
::1 localhost
[Expert@fwstjwhgcor02:0]# lsattr /etc/hosts
----i-------- /etc/hosts
[Expert@fwstjwhgcor02:0]#
[Expert@FWWYNTUSGR01:0]# ifconfig
Mgmt Link encap:Ethernet HWaddr 00:1C:7F:35:F2:3B
inet addr:209.12.76.75 Bcast:209.12.76.79 Mask:255.255.255.248
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2507068018 errors:33770932 dropped:0 overruns:0 frame:33770932
TX packets:2419184216 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1166577629 (1.0 GiB) TX bytes:511247199 (487.5 MiB)
Interrupt:106 Memory:febe0000-fec00000
eth1 Link encap:Ethernet HWaddr 00:1C:7F:35:F2:36

RX bytes:930343206 (887.2 MiB) TX bytes:89914464 (85.7 MiB)
Interrupt:82 Memory:fe6e0000-fe700000
eth2 Link encap:Ethernet HWaddr 00:1C:7F:35:F2:37

eth2.10 Link encap:Ethernet HWaddr 00:1C:7F:35:F2:37

RX bytes:384540760 (366.7 MiB) TX bytes:3077825284 (2.8 GiB)

RX bytes:1983113936 (1.8 GiB) TX bytes:3395564157 (3.1 GiB)



lo Link encap:Local Loopback

inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
[Expert@FWWYNTUSGR01:0]#
[Expert@FWWYNTUSGR02:0]# ifconfig
Mgmt Link encap:Ethernet HWaddr 00:1C:7F:53:46:4F
RX bytes:108877589 (103.8 MiB) TX bytes:2126216351 (1.9 GiB)
Interrupt:106 Memory:febe0000-fec00000
eth1 Link encap:Ethernet HWaddr 00:1C:7F:53:46:4A

eth2 Link encap:Ethernet HWaddr 00:1C:7F:53:46:4B

eth2.10 Link encap:Ethernet HWaddr 00:1C:7F:53:46:4B





lo Link encap:Local Loopback

inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
Firewall Routes FWWYNTUSGR01/02
[Expert@FWWYNTUSGR01:0]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
209.12.76.72 0.0.0.0 255.255.255.248 U 0 0 0 Mgmt
10.14.238.128 0.0.0.0 255.255.255.224 U 0 0 0 eth2.50
10.14.245.224 0.0.0.0 255.255.255.224 U 0 0 0 eth1
10.14.216.64 0.0.0.0 255.255.255.224 U 0 0 0 eth2.40
10.14.216.96 0.0.0.0 255.255.255.224 U 0 0 0 eth2.20
10.14.216.0 0.0.0.0 255.255.255.192 U 0 0 0 eth2.10
10.14.216.128 0.0.0.0 255.255.255.128 U 0 0 0 eth2.30
0.0.0.0 209.12.76.73 0.0.0.0 UGD 0 0 0 Mgmt
[Expert@FWWYNTUSGR02:0]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
209.12.76.72 0.0.0.0 255.255.255.248 U 0 0 0 Mgmt
10.14.238.128 0.0.0.0 255.255.255.224 U 0 0 0 eth2.50
10.14.245.224 0.0.0.0 255.255.255.224 U 0 0 0 eth1
10.14.216.64 0.0.0.0 255.255.255.224 U 0 0 0 eth2.40
10.14.216.96 0.0.0.0 255.255.255.224 U 0 0 0 eth2.20
10.14.216.0 0.0.0.0 255.255.255.192 U 0 0 0 eth2.10
10.14.216.128 0.0.0.0 255.255.255.128 U 0 0 0 eth2.30
0.0.0.0 209.12.76.73 0.0.0.0 UGD 0 0 0 Mgmt
[Expert@FWWYNTUSGR01:0]# cat $FWDIR/modules/fwkern.conf [Expert@FWWYNTUSGR02:0
fw ctl set int fwha_forw_packet_to_not_active 1 fw ctl set int fwha_forw_pac
[Expert@FWWYNTUSGR02:0]# cat $FWDIR/modules/fwkern.conf
fw ctl set int fwha_forw_packet_to_not_active 1
[Expert@FWWYNTUSGR01:0]# more /etc/sysctl.conf
# Kernel sysctl configuration file for Red Hat Linux
#
# For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and
# sysctl.conf(5) for more details.
# Controls IP packet forwarding

net.ipv4.ip_forward = 0
# Controls source route verification

net.ipv4.conf.default.rp_filter = 1
# Controls the System Request debugging functionality of the kernel

kernel.sysrq = 0
# Controls whether core dumps will append the PID to the core filename
# Useful for debugging multi-threaded applications
kernel.core_uses_pid = 1
# Controls the maximum size of a message, in bytes

kernel.msgmnb = 65536
# Controls the default maxmimum size of a mesage queue

kernel.msgmax = 65536
# Controls the maximum shared segment size, in bytes

kernel.shmmax = 4294967295
# Controls the maximum number of shared memory segments, in pages

kernel.shmall = 268435456
# Enables ARP filtering

net.ipv4.conf.default.arp_filter = 1
net.ipv4.conf.all.arp_filter = 1
# Ignore ICMP bcasts

net.ipv4.icmp_echo_ignore_broadcasts = 1
# Disable ICMP Redirect Acceptance

net.ipv4.conf.all.accept_redirects = 0
# Retry tcp this many times

net.ipv4.tcp_syn_retries = 3
# Allow TCP window scaling
net.ipv4.tcp_window_scaling = 1
# Verbosity of kernel messages

kernel.printk = 1 1 1 1
# Performance tuning
## Ephemeral ports range
net.ipv4.ip_local_port_range = 32768 65535
## Turn on TCP timestamps

net.ipv4.tcp_timestamps = 1
## Increase the amount of memory associated w. input and output socket buffers
net.core.rmem_default = 262144
net.core.rmem_max = 262144
net.core.wmem_default = 262144
net.core.wmem_max = 262144
## Increase the number of FDs available to security servers

fs.file-max = 524288
## Set up core dump file name format

kernel.core_pattern = |/etc/coredump/compress.sh /var/log/dump/usermode/%e.%p.co
re
# Avoid memory leak in routing cache

net.ipv4.route.secret_interval = 100000
# Avoid crash in libwincav.so

kernel.sem = 250 64000 32 256
# performance tuning (allow more arp entries and less frequent cleanup overhead)
net.ipv4.neigh.default.gc_thresh1 = 1024
vm.max_map_count = 524288
[Expert@FWWYNTUSGR02:0]# more /etc/sysctl.conf
# Kernel sysctl configuration file for Red Hat Linux
#
# For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and
# sysctl.conf(5) for more details.
# Controls IP packet forwarding

net.ipv4.ip_forward = 0
# Controls source route verification

net.ipv4.conf.default.rp_filter = 1
# Controls the System Request debugging functionality of the kernel

kernel.sysrq = 0
# Controls whether core dumps will append the PID to the core filename
# Useful for debugging multi-threaded applications
kernel.core_uses_pid = 1
# Controls the maximum size of a message, in bytes

kernel.msgmnb = 65536
# Controls the default maxmimum size of a mesage queue

kernel.msgmax = 65536
# Controls the maximum shared segment size, in bytes

kernel.shmmax = 4294967295
# Controls the maximum number of shared memory segments, in pages

kernel.shmall = 268435456
# Enables ARP filtering

net.ipv4.conf.default.arp_filter = 1
net.ipv4.conf.all.arp_filter = 1
# Ignore ICMP bcasts

net.ipv4.icmp_echo_ignore_broadcasts = 1
# Disable ICMP Redirect Acceptance

net.ipv4.conf.all.accept_redirects = 0
# Retry tcp this many times

net.ipv4.tcp_syn_retries = 3
# Allow TCP window scaling
net.ipv4.tcp_window_scaling = 1
# Verbosity of kernel messages

kernel.printk = 1 1 1 1
# Performance tuning
## Ephemeral ports range
net.ipv4.ip_local_port_range = 32768 65535
## Turn on TCP timestamps

net.ipv4.tcp_timestamps = 1
## Increase the amount of memory associated w. input and output socket buffers
net.core.rmem_default = 262144
net.core.rmem_max = 262144
net.core.wmem_default = 262144
net.core.wmem_max = 262144
## Increase the number of FDs available to security servers

fs.file-max = 524288
## Set up core dump file name format

kernel.core_pattern = |/etc/coredump/compress.sh /var/log/dump/usermode/%e.%p.co
re
# Avoid memory leak in routing cache

net.ipv4.route.secret_interval = 100000
# Avoid crash in libwincav.so

kernel.sem = 250 64000 32 256
# performance tuning (allow more arp entries and less frequent cleanup overhead)
vm.max_map_count = 524288
[Expert@FWWYNTUSGR01:0]# ARP
bash: ARP: command not found
[Expert@FWWYNTUSGR01:0]# arp
Address HWtype HWaddress Flags Mask Iface
10.14.216.238 (incomplete) eth2.
10.14.245.227 ether 00:1C:7F:53:46:4A C eth1
10.14.216.221 ether D4:BE:D9:C0:C6:AA C eth2.
10.14.216.208 ether 44:8A:5B:4B:77:4C C eth2.
wh-tusgr-spa.wyndham.co ether 18:03:73:CF:05:43 C eth2.
10.14.216.210 ether D0:67:E5:21:12:EB C eth2.
10.14.245.246 ether AC:81:12:90:CB:56 C eth1
10.14.238.142 ether 00:A0:A4:20:8C:70 C eth2.
wh-tusgr-fd3.wyndham.co ether D0:67:E5:20:F7:90 C eth2.
wh-tusgrw039.wyndham.co ether D8:CB:8A:03:08:97 C eth2.
wh-tusgrw018.wyndham.co ether D4:BE:D9:C0:7F:88 C eth2.
10.14.216.228 ether D4:BE:D9:C0:C6:FD C eth2.
10.14.245.238 ether 2C:3F:38:D6:BA:41 C eth1
10.14.216.201 ether D4:BE:D9:C0:CE:37 C eth2.
wh-tusgr-fd2.wyndham.co ether D4:BE:D9:C0:CE:43 C eth2.
wh-tusgr-dc.wyndham.com ether D4:AE:52:6E:EB:6A C eth2.
wh-tusgrw032.wyndham.co ether 44:8A:5B:4B:77:FD C eth2.
10.14.216.180 ether 28:80:23:D5:5C:2D C eth2.
10.14.216.188 ether 6C:62:6D:60:44:28 C eth2.
10.14.245.253 ether 00:D0:83:05:A2:D4 C eth1
10.14.216.160 ether D0:67:E5:21:0F:4E C eth2.
10.14.216.224 ether D0:67:E5:21:0E:08 C eth2.
10.14.216.190 ether D0:67:E5:20:F9:90 C eth2.
10.14.216.214 ether D4:BE:D9:C0:C6:BE C eth2.
10.14.216.220 ether D0:67:E5:21:09:5E C eth2.
10.14.245.232 ether 2C:3F:38:DE:86:C1 C eth1
10.14.216.206 ether D0:67:E5:21:12:07 C eth2.
wh-tusgr-key.wyndham.co ether 14:18:77:4E:41:FE C eth2.
10.14.216.226 ether D4:BE:D9:C2:EB:AA C eth2.
10.14.216.203 ether D0:67:E5:21:0F:98 C eth2.
10.14.245.229 ether 68:BC:0C:9E:03:C1 C eth1
10.14.216.204 ether D0:67:E5:21:10:9A C eth2.
10.14.216.236 ether 00:80:91:74:27:3F C eth2.
10.14.216.222 ether D4:BE:D9:C0:82:DF C eth2.
10.14.216.181 ether D4:BE:D9:C0:CD:E5 C eth2.
wh-tusgr-nas.wyndham.co ether D4:AE:52:69:5C:34 C eth2.
10.14.216.199 ether 44:8A:5B:4B:78:14 C eth2.
10.14.245.247 ether AC:81:12:C3:7C:F9 C eth1
10.14.216.146 ether 44:8A:5B:4B:78:59 C eth2.
10.14.238.135 ether 00:A0:A4:20:8B:82 C eth2.
microsrv.wyndham.com ether 3C:A8:2A:0D:B2:28 C eth2.
10.14.216.237 (incomplete) eth2.
10.14.216.189 ether D4:BE:D9:C0:CE:58 C eth2.
10.14.216.197 ether D8:9D:67:D4:36:A1 C eth2.
wh-tusgroifc.wyndham.co ether 18:03:73:CF:47:B2 C eth2.
10.14.216.215 ether 28:80:23:D4:65:5C C eth2.
10.14.216.207 ether D0:67:E5:21:08:97 C eth2.
wh-tusgr-oxi.wyndham.co ether 34:17:EB:AD:C1:E9 C eth2.
10.14.245.233 ether 2C:3F:38:E0:D2:C1 C eth1
10.14.238.136 ether 00:A0:A4:20:8C:1E C eth2.
10.14.216.225 ether D0:67:E5:21:0C:A1 C eth2.
wh-tusgrw917.wyndham.co ether 44:8A:5B:4B:77:F3 C eth2.
wh-tusgr-fd1.wyndham.co ether D4:BE:D9:C0:CE:29 C eth2.
10.14.238.137 ether 00:A0:A4:20:87:D6 C eth2.
10.14.216.209 ether 44:8A:5B:4B:78:11 C eth2.
10.14.245.254 ether 00:D0:83:07:42:EC C eth1
10.14.216.229 ether D0:67:E5:21:11:5B C eth2.
wh-tusgr-01.wyndham.com ether D4:AE:52:6A:29:54 C eth2.
10.14.216.187 ether D4:BE:D9:C0:C6:A7 C eth2.
10.14.216.223 ether D0:67:E5:21:12:5E C eth2.
10.14.245.230 ether 2C:3F:38:4F:9C:C1 C eth1
10.14.245.228 ether 68:BC:0C:99:DA:41 C eth1
10.14.238.133 ether 00:A0:A4:20:8C:02 C eth2.
10.14.245.235 ether 2C:3F:38:CC:52:41 C eth1
10.14.245.236 ether 2C:3F:38:DE:86:41 C eth1
wh-tusgr-opr1.wyndham.c ether 14:18:77:5A:32:CD C eth2.
10.14.238.141 ether 00:A0:A4:20:89:CF C eth2.
10.14.245.237 ether 2C:3F:38:D6:E7:41 C eth1
10.14.245.248 ether AC:81:12:C3:83:F5 C eth1
209.12.76.73 ether 00:A0:C8:59:DE:7A C Mgmt
10.14.245.239 ether 2C:3F:38:D6:F8:41 C eth1
10.14.245.234 ether 2C:3F:38:D6:F6:41 C eth1
10.14.216.218 ether D4:BE:D9:C0:83:57 C eth2.
10.14.216.212 ether D0:67:E5:21:15:74 C eth2.
10.14.216.211 ether D4:BE:D9:C0:7F:60 C eth2.
10.14.216.5 ether 14:18:77:5A:35:A2 C eth2.
10.14.245.231 ether 2C:3F:38:B6:BD:41 C eth1
[Expert@FWWYNTUSGR02:0]# arp
Address HWtype HWaddress Flags Mask Iface
209.12.76.73 ether 00:A0:C8:59:DE:7A C Mgmt
10.14.245.247 ether AC:81:12:C3:7C:F9 C eth1
30 10.14.245.246 ether AC:81:12:90:CB:56 C eth1
10.14.245.226 ether 00:1C:7F:35:F2:36 C eth1
30 10.14.245.248 ether AC:81:12:C3:83:F5 C eth1
30 wh-tusgr-dc.wyndham.com ether D4:AE:52:6E:EB:6A C eth2.10
10
30
50
20
20
30
30
30
20
10
20
30
30
30
30
30
30
30
30
10
30
30
30
30
30
30
10
30
30
50
50
30
30
30
10
30
30
30
50
30
30
20
50
30
30
10
30
30
50
10
50
30
30
30
10
ask Iface
Mgmt
eth1
eth1
eth1
eth1
A C eth2.10
[Expert@FWWYNTUSGR01:0]# cplic print
Host Expiration Features
10.86.243.39 never CPAP-SG220X CPSB-FW CPSM-C-2 CPSB-VPN CPSB-NPM CPSB
Contract Coverage:
# ID Expiration SKU
===+===========+============+====================
1 | YDY06I9 | 31Aug2017 | CPES-SS-PREMIUM-ADD
+-----------+------------+--------------------
|Covers: CPAP-SG220X CPSB-FW CPSM-C-2 CPSB-VPN CPSB-NPM CPSB-LOGS CPSB-IA
===+===========+============+====================
2 | GOS76I3 | 18Apr2014 | CPSB-APCL-S-1Y
+-----------+------------+--------------------
===+===========+============+====================
3 | 264US23 | 18Apr2014 | CPSB-IPS-S-1Y
+-----------+------------+--------------------
===+===========+============+====================
[Expert@FWWYNTUSGR02:0]# cplic print

Host Expiration Features
10.86.243.39 never CPAP-SG220X CPSB-FW CPSM-C-2 CPSB-VPN CPSB-NPM CPSB
Contract Coverage:
# ID Expiration SKU
===+===========+============+====================
1 | 41YOOY2 | 6Jun2013 | CPSB-IPS-S-1Y
+-----------+------------+--------------------
===+===========+============+====================
2 | YDY06I9 | 31Aug2017 | CPES-SS-PREMIUM-ADD
+-----------+------------+--------------------
===+===========+============+====================
3 | 447E261 | 6Jun2013 | CPSB-APCL-S-1Y
+-----------+------------+--------------------
===+===========+============+====================
-LOGS CPSB-IA CPSB-SSLVPN-5 CPSB-ADNC CPSB-IPS-S1 CPSB-APCL-S1 CK-00-1C-7
CPSB-SSLVPN-5 CPSB-ADNC CPSB-IPS-S1 CPSB-APCL-S1 CK-00-1C-7F-35-F2-3B
-LOGS CPSB-IA CPSB-SSLVPN-5 CPSB-ADNC CPSB-IPS-S1 CPSB-APCL-S1 CK-00-1C-7
CPSB-SSLVPN-5 CPSB-ADNC CPSB-IPS-S1 CPSB-APCL-S1 CK-00-1C-7F-53-46-4F

S-S1 CPSB-APCL-S1 CK-00-1C-7F-35-F2 -3B
PCL-S1 CK-00-1C-7F-35-F2-3B
PCL-S1 CK-00-1C-7F-35-F2-3B
PCL-S1 CK-00-1C-7F-35-F2-3B
S-S1 CPSB-APCL-S1 CK-00-1C-7F-53-46 -4F
PCL-S1 CK-00-1C-7F-53-46-4F
PCL-S1 CK-00-1C-7F-53-46-4F
PCL-S1 CK-00-1C-7F-53-46-4F

Template For Firewall Failover

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Template For Firewall Failover

Hochgeladen von

Copyright:

Verfügbare Formate

Project Name (Take 64): Project Nam

RFC # Brief Description of change Implementation Date

Quarterly failover on FWWYNTUSGR01

Key Contacts for this change:

Sec Ops Document Review Sign off

Document Revision Control

1:00 PM 1:15 PM RFC Create

ontacts for this change:

maheedhar.immadabathuni@wyn.com 973-753-7574 973-727-6814

Document Review Sign off

Yes N/A WWC No

Item Task Description Status/Result

Setup meeting with Business and/or CSIT to discuss the following:

Fill out Implementation plan and provide supporting documentation in the

Identify devices that are directly involved in this change (update

Est. Completion Notes Initials

2 "Implementation Plan" tab has been filled out and

See Hosts File tab BS

Implementation Start = Noone

Failing over TUSGR FWWYNTUSGR_CL Cluster (FWWYNTUSGR01 209.12.76.75 |

Expected Completion Time Resource

Status Task Category Task Number

Expected Completion Time (Eastern

EIT INFO SEC Test plan

Prior to Equipment change

HTCS will join meeting place bridge

10.x.x.23 Front Desk 10.x.x.101, 102, 103

10.x.x.23 Front Desk 10.x.x.101, 102, 103

Front Desk 10.x.x.101, 102, 103

Front Desk 10.x.x.101, 102, 103

PConfig /flushdns front desk workstations) –optional not necessary.

nderstands that they could be down for 3 hours downtime.

Cluster Mode: High Availability (Active Up) with IGMP Membership

Number Unique Address Assigned Load State

1 (local) 10.14.245.226 100% Active

eth1 Link encap:Ethernet HWaddr 00:1C:7F:35:F2:36

eth2 Link encap:Ethernet HWaddr 00:1C:7F:35:F2:37

eth2.10 Link encap:Ethernet HWaddr 00:1C:7F:35:F2:37

eth2.20 Link encap:Ethernet HWaddr 00:1C:7F:35:F2:37

eth2.30 Link encap:Ethernet HWaddr 00:1C:7F:35:F2:37

eth2.40 Link encap:Ethernet HWaddr 00:1C:7F:35:F2:37

eth2.50 Link encap:Ethernet HWaddr 00:1C:7F:35:F2:37

lo Link encap:Local Loopback

eth1 Link encap:Ethernet HWaddr 00:1C:7F:53:46:4A

eth2 Link encap:Ethernet HWaddr 00:1C:7F:53:46:4B

eth2.10 Link encap:Ethernet HWaddr 00:1C:7F:53:46:4B

eth2.20 Link encap:Ethernet HWaddr 00:1C:7F:53:46:4B

eth2.30 Link encap:Ethernet HWaddr 00:1C:7F:53:46:4B

eth2.40 Link encap:Ethernet HWaddr 00:1C:7F:53:46:4B

eth2.50 Link encap:Ethernet HWaddr 00:1C:7F:53:46:4B

lo Link encap:Local Loopback

# Controls IP packet forwarding

# Controls source route verification

# Controls the System Request debugging functionality of the kernel

# Controls the maximum size of a message, in bytes

# Controls the default maxmimum size of a mesage queue

# Controls the maximum shared segment size, in bytes

# Controls the maximum number of shared memory segments, in pages

# Enables ARP filtering

# Ignore ICMP bcasts

# Disable ICMP Redirect Acceptance

# Retry tcp this many times

# Verbosity of kernel messages