Link to home
Start Free TrialLog in
Avatar of JBnippy57
JBnippy57

asked on

New firewall implementation guidance

Hi everyone,

We are looking to replace our LAN Firewall, and I was hoping to get some guidance on how best to introduce it to the LAN as change on this scale is not exactly a routine daily task in this network!

Firstly, would it be recommended for the new device to assume the current FW's LAN IP or assign a different one? I know that if I allow it to assume the extant FW IP, I will need to reboot anything and everything to make sure all ARP tables are cleared to avoid networking issues but is that it?

Equally if I assign it a new LAN IP, I will need to alter the config. of our Domain Controller/DHCP Server's 003 Router entry to the new IP so that the clients get the correct settings provided when an DHCP IP is leased. Is that all, in this case?

Secondly, we use MS Exchange 2010 SP2 as our in-house mail system, beyond potentially altering its default gateway depending on the above point, is there anything else I will potentially need to change on it to ensure the flow of email continues? I saw a question on EE that nearly got there on this subject before I posted this, but there didn't seem to be a definitive answer.

Generally, I know that I need to ensure all the rules, host/network/DNS definitions and any custom service/protocol definitions are documented and equivalents are setup in the new FW, that we need to conduct out of hours testing before committing to going Live so we have the old FW as a reversion plan (I have limited time as we are implementing the new FW with a new Leased Line/Public IP so need to conduct testing as quickly as possible!) as well as have a check list of steps such as re-pointing MX Records to the new public IP, etc.

Any advice would be gratefully received indeed!

Many thanks,

JB
Avatar of David Needham
David Needham
Flag of United Kingdom of Great Britain and Northern Ireland image

This should be relatively straight forward.  If I was doing the swap out, then I would use the same IP address as the current firewall.  You could then configure the new firewall offline.  All you would really need to do is replicate the current firewall's config.  If all that needs configuring is the port forwarding to Exchange, as you have eluded to, then once done you'll be able to just swap them over and test.
ASKER CERTIFIED SOLUTION
Avatar of masnrock
masnrock
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of JBnippy57
JBnippy57

ASKER

Thanks very much indeed David and Masnrock, your comments are very much appreciated.

I take the point about the new device assuming the old's IP address, it is the lesser degree of change in terms of static address changing, DHCP alterations etc and also with the all important MS Exchange box with the ability to revert back if anything crops up that we hadn't allowed for.

My only concern was that to adopt the current IP was the risk of their being network issues with the same IP resolving to a different MAC address.. but in reality any problems should be quickly solved as records update etc. after client reboots, static entries being changed.

We use Appriver as a 3rd party filtering service, so will ask them to update the public IP for delivery post-filtering - thanks for that tip, it's now on the migrate checklist as it wasn't before today!

I am currently going through the present FW config and am documenting like mad all of its settings. Generally the FW isn't doing anything particularly clever.. there are no static routes enabled, no out of the ordinary rules. Hopefully this should be relatively straight forward to create equivalent rules on the new FW then test it before committing to Go Live.

Thanks again for your guidance, it is very much appreciated.

Regards

JB
No problem at all! :-)
As long as your LAN is functioning as it should, any ARP issue would resolve itself with 20 seconds or so.  So I would see this as anything to worry about.
My only concern was that to adopt the current IP was the risk of their being network issues with the same IP resolving to a different MAC address.. but in reality any problems should be quickly solved as records update etc. after client reboots, static entries being changed.
Exactly. The ARP tables will update without issue, so this is one that you won't have to think about.

Appriver tends to be very responsive, as you well know, so that shouldn't be an issue either.

Glad we could help!
masnrock, why do you say
you will want to reboot or disconnect/reconnect any DHCP clients
You just told him it would be better NOT to change the firewall's IP address, right? That would mean there would be nothing changed in AD or DHCP.
Aren't we assuming that the "default gateway" would be on the firewall, as in, the connection between the internal network and the ISP? Seems confusing...

As far as mail exchange records are concerned, yes, you would indeed have to make those changes in your DNS provider's records if you have changed your public IP.

And as far as ARP is concerned, from the client side that will happen automatically when the client receives an answer from the BOOTP (DHCP) server. It will respond to whoever replies to it's query, and use the MAC address associated -- no issues.

And from the firewall side, there'll be a fresh ARP table that hasn't been populated yet, so nothing should go wrong there. And then if you have to back out for whatever reason, the ARP cache on the original firewall will still be intact (presumably).

I'm curious whose firewall you will be using -- which vendor?


Cheers!
masnrock, why do you say

you will want to reboot or disconnect/reconnect any DHCP clients

You just told him it would be better NOT to change the firewall's IP address, right? That would mean there would be nothing changed in AD or DHCP.

Noel, the poster had asked about the scenario where the new firewall was given a new LAN IP address, which would cause a change in the default gateway for LAN devices. Please see the quote just ahead of that section.
Ah, yeah. I did see that, of course. It just seemed a little incongruous to advise against changing the internal IP, then explain what would happen if that IP were changed. I didn't get the quick switchover...

No worries. You're suggestions seem spot on to me. :-)
@Noel - No worries... it is a lot to read through, and plenty did get asked.
Hi all

Thanks for comments Noel, and replies back! Yes it was a big post.. sorry!

For information the firewall is a Mako Networks 7582.

Cheers
Thanks for your help folks, the new LL activated today.. so currently getting the FW patched in on same LAN IP as old one and hoping the config I put in does the trick!