route add -net <IP>/<cidr> gw <next hop IP>
route add -host <IP> gw <next hop IP>
route add default gw <gateway>
route del -net <IP>/<cidr> gw <next hop IP>
route --save

[ # ]

clish
  add pbr table <table_name>
  set pbr table <table_name> default route enable
  set pbr table <table_name> default nexthop gateway address <default_nexthop_ip>
  add acl <acl_name>
  set acl <acl_name> ininterface <ifname>
  set acl <acl_name> outinterface <ifname>
  add aclrule <acl_name> position 1
  set aclrule <acl_name> position 1 action pbr pbr_table <table_name> srcaddr <src_address_with_CIDR> destaddr <dst_address_with_CIDR> srcport 0-65535 destport 0-65535 protocol any tcp_estab no tos any dstfield none qspec none
  save config
  exit

Notes:

  • and can be anything you want
  • In ACL, use 0.0.0.0/0 for "any"

[ # ]

clish -s -c "add arpproxy address <ip> macaddress <vip mac>"
clish -s -c "delete arpproxy address <ip>"

[ # ]

!! Most SPLAT Devices
echo "<NAT-IP> <Physical-Interface-MAC-Address>" >> $FWDIR/conf/local.arp

!! SPLAT Devices with VMAC mode enabled
echo "<NAT-IP> <Virtual-MAC-Address>" <Physical-Int-IP> >> $FWDIR/conf/local.arp

Notes:

  • AutoNATs normally do not require a proxy arp. Ensure "merge manual proxy arp configuration" is enabled in the Global Properties -> NAT

[ # ]

cphaconf set_ccp multicast   !! Use Multicast (default mode, most efficient)
cphaconf set_ccp broadcast   !! Use Unicast

cphaprob -a if    !! Verify current mode and monitored interfaces

Documentation

[ # ]

cphaprob -d problem -s problem report  !! Performed on active firewall to failover
cphaprob -d problem unregister !! Unregister the problem

Notes:

  • The best place to perform a failover is within the policy. This is for temporary failover purposes. After removing the problem, if the configuration has not been updated, it is likely the firewalls will fail back.

[ # ]

chsh -s /bin/bash <username>

[ # ]

ethtool -s <interface> speed <speed ie 100> duplex <duplex> autoneg off  !! Modify interface speed

config conn set local <ip>/<cidr> name <interface>  !! IP an interface
config conn add type vlan local <ip>/<cdir> vlan-tag <vlan-tag> dev <physical-int-name>  !! Create sub-interface with vlan
config conn del name <vlan-int>  !! Delete sub-interface

!! Configure monitoring of interface for failover (add/delete required interfaces, 1 per line)
cpstop
vi $FWDIR/conf/discntd.if
cpstart

[ # ]

cphaprob stat  !! view failover status
cphaprob -a if  !! view interface VIP configuration

[ # ]

fwha_vmac_global_param_enabled 1        !! Enable Until Reboot
fwha_vmac_global_param_enabled 0        !! Disable (default)

vi $FWDIR/boot/modules/fwkern.conf        !! Enable Permanently
fwha_vmac_global_param_enabled=1

Notes:

  • This is useful so that the MAC addresses of the VIPs do not change on failover of a cluster. This may correct issues with switches holding onto the old VIP MAC address.

Documentation

[ # ]