Configure HA

After you have deployed two NGFW Engines, configure high availability (HA).

Before you begin

To use HA, the NGFW Engine must be able to resolve host names. Configure a DNS server in the Management Client component of the SMC.
In the Management Client, add a rule to the Firewall Policy to allow HTTP connections from the NGFW Engine to the AWS API, and from the AWS API to the NGFW Engine.

For detailed instructions, see the Forcepoint Next Generation Firewall Product Guide .

HA requires NGFW version 6.4.4 or higher.

In an HA configuration, one NGFW instance acts as the default gateway for outbound traffic in one VPC. If the active NGFW instance becomes unavailable, the other NGFW instance becomes the default gateway.

The HA configuration consists of the following files:

run-at-boot script — The HA script that runs on each NGFW instance. The script uses AWS API calls to enumerate the Route Tables of one or more subnets of a VPC and to change the NGFW instance that acts as the default gateway in case of a failover.
policy.json — Example rules that you can copy and paste into the identity and access management (IAM) policy that allows the NGFW instance to access the AWS API.

Steps

Obtain the run-at-boot script and the policy.json file from https://github.com/Forcepoint/fp-NGFW-AWS-ha.
Create an IAM policy to allow the NGFW instance to access the AWS API.
1. Open the AWS console, then select IAM from the Services drop-down list at the top of the page.
2. From the menu on the left, select Policies.
3. Click Create Policy.
4. Copy the contents of the policy.json file and paste them into the web editor on the JSON tab.
5. Click Review Policy.
6. Enter a name and description for the policy.
7. Click Create Policy.
Create an IAM role that uses the IAM policy that you created.
1. In the AWS console, select IAM from the Services drop-down list at the top of the page.
2. From the menu on the left, select Roles.
3. Click Create role.
4. In the service that will use this role options, select EC2, then click Next.
5. Attach the IAM policy that you created, then click Next.
6. Click Review.
7. Enter a name and description for the role, then click Create role.
Attach the IAM role to the NGFW instances in AWS.
1. In the AWS console, select EC2 from the Services drop-down list at the top of the page.
2. From the menu on the left, open the Instances page.
3. Right-click the NGFW instances on which you want to enable HA, then select Instance Settings > Attach/Replace IAM Role.
4. From the drop-down list, select the role that you created, then click Apply.
Perform these steps on each NGFW instance:
1. On your computer, open a terminal program, then enter the following command to open an SSH connection to the command line of the NGFW Engine using the aws user account:
```
ssh -i <your ssh private key>.pem aws@<aws instance public ip address>
```
2. Create a /data/route-tables file and populate it with the “rtb-*” entries from the Route Tables to be configured with HA.
  Select the route tables of the subnets that use the HA NGFW Engines as a default route. Enter each route table entry on a separate line.
  Example /data/route-tables file:
```
rtb-0123456789
rtb-0123456788
rtb-0123456787
rtb-0123456786
```
3. Copy the run-at-boot script to the instance.
4. If the NGFW instance only has one interface, edit the run-at-boot script and change 1 to 0 in the following line:
```
if interface['Attachment']['DeviceIndex'] == 1
```
5. To move the run-at-boot script to the /data directory, enter the following command:
```
mv run-at-boot /data
```
6. To make the run-at-boot file executable, enter the following command:
```
chmod +x /data/run-at-boot
```
7. Edit the /data/run-at-boot file and change the region on the following line to the region that your instance is operating in:
```
ec2 = boto3.resource('ec2', region_name='<region>',api_version='2016-09-15')
```
8. To make sure that there are no errors, enter the following command to run the run-at-boot script manually:
```
python /data/run-at-boot
```
9. Reboot the NGFW Engine.