[AusNOG] Interfaces swapping between physical NIC - Sidewinder v6 to v7

firewall-admin at hartfordgroup.com.au firewall-admin at hartfordgroup.com.au
Mon Jan 18 11:41:51 EST 2010


Hi,

We are in the process of upgrading our firewalls to Sidewinder V7, and
after the initial upgrade we have found that the interfaces have swapped
around physically. On 'Firewall1', the physical location of the interface
was retained, however, the label of the interface was changed. On
'Firewall2', the configuration was kept consistent with the interface
label, however, the physical location of the interface was changed to a
different NIC and port. 

Below is a representation of what has happened, showing before the
upgrade, and after:

Firewall1

    OUT INS
V6  em0 em1 em2 em3     em7 em6 em5 em4
    -----------------------------------
    [ ] [ ] [ ] [ ]  |  [ ] [ ] [ ] [ ]
    -----------------------------------
V7  em4 em5 em6 em7     em3 em2 em1 em0
    OUT INS


Firewall2

    OUT INS
V6  em0 em1 em2 em3     em7 em6 em5 em4
    -----------------------------------
    [ ] [ ] [ ] [ ]  |  [ ] [ ] [ ] [ ]
    -----------------------------------
V7  em4 em5 em6 em7     em3 em2 em1 em0
                                INS OUT

OUT being outside interface, and INS being inside interface.

As you can see, consistency was maintained between both firewalls with
version 6, however, unfortunately this consistency was lost during the
upgrade and we are struggling to restore it. As part of our policy and
procedures, it is imperitive that we maintain consistency across the board,
eg named the lowest interface (for instance, outside on em0 - with em4
being unacceptable). We attempted to use the 'cf interface swap' command
using macaddr to limited success, whilst the actual interface configuration
swaps, the interface label does not.

I lodged a job with Secure Computing/Mcafee about this, and as suspected
it is due to a change in the underlying OS between 6.1.2 and 7.0.1 (change
from BSDi to FreeBSD). They suggested that moving the interfaces,
physically (eg, putting it back to the V6 configuration, em0 being on the
left NIC, left port) is impossible, but we can do a feature modification
request to the developers there, no idea how long that would take.

Does anyone know how I can avoid this happening in the future, or provide
a work around solution?

Any assistance greatly appreciated.

Steven




More information about the AusNOG mailing list