Upgrading VM Series Firewalls Behind Load Balancer in AWS

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
L3 Networker
100% helpful (2/2)

Title_Upgrading-VM Series-Firewalls_palo-alto-networks.jpg

 

Have you ever encountered discussions about planning a VM series upgrade or wondered about the fate of existing connections during a firewall upgrade? How can firewalls be upgraded with minimal impact and downtime? This article aims to address these queries and provide guidelines for an upgrade process. 

 

Modern businesses employ the Gateway Load Balancer framework to incorporate security insertion. You have the ability to customize health check preferences for specific target groups. By default, general settings are in place unless changed during the initial creation of the target group or in subsequent adjustments. The Gateway Load Balancer actively monitors the well-being of targets within active Availability Zones and routes requests to those healthy targets.

 

For the purpose of this article, let us consider a topology where we have 2 VM Series firewalls: FW-1, FW-2 as part of a target group, deployed behind a GWLB . Both these firewalls show as healthy in the target group.

 

Screenshot 2023-09-29 at 10.40.09 AM.png

To upgrade the firewalls, You can take into consideration below factors to ensure minimal downtime. 

 

1.   De-Register FW-2 from the Target Groups (Check if the firewall is part of multiple ALB target-groups and de-register it from all). When you deregister a target, it is taken out of your target group. The Gateway Load Balancer ceases to direct traffic to      a target immediately upon de-registration. The target enters the draining state. The GWLB waits for the de-registration delay timer (attribute of Target Group) to change the state of a de-registering target from draining to unused. The default value is 300 seconds (5 min). It can be modified in the target group settings. The range is 0-3600 seconds.

 

During this time of de-registration delay timer any new connections would not be forwarded to it by GWLB. 

Existing connections get specified seconds to complete. Post the delay timer, existing connections will be forcefully terminated as  well. Hence if there are any remaining sessions they will experience disconnection.

 

2.   After waiting for the de-registration delay timer, FW-2 should stop receiving any traffic. and now we can upgrade the VM series and reboot. There is no downtime since the FW-1 will handle all the connections.

 

3.   Once the FW-2 is back, register it in the target group. This Firewall should show up as healthy in the Health Check of. FW-2 is ready to accept the connections at this stage.

 

4.   The new connections can now be forwarded to FW-2 by GWLB.

We can now repeat the same steps from step 1-3 and deregister FW-1 from GWLB so that it enters the de-registration delay timer. We will upgrade the firewall, reboot and add it back to the target group to start processing traffic.

 

There is very minimal downtime experienced if the upgrade is carried out in this manner. You can follow these guidelines for multiple firewalls. It is always recommended to take backup of configuration before performing any maintenance activity.

 

Note: For more information on how to rebalance existing flows in case the target is in de-registration / unhealthy state, please refer to the AWS article: Introducing AWS Gateway Load Balancer Target Failover for Existing Flows 

Rate this article:
(1)
Comments
L1 Bithead

how about the firewalls in Auzre cloud?  it seems only can remove one firewall from the loadbalancer in Azure.

  • 5590 Views
  • 1 comments
  • 1 Likes
Register or Sign-in
Contributors
Labels
Article Dashboard
Version history
Last Updated:
‎09-28-2023 10:28 PM
Updated by: