Configure an High Availability Deployment (Active / Active)

A high availability (HA) deployment consists of multiple servers that point to a single IP address; this is what distinguishes an HA deployment from a distributed deployment.

A third-party load balancer is required, such as F5 Load Balancer.

Planning and Preparing for the Deployment

  • Define the number of servers and their roles that will be utilized in the ecosystem deployment.
    • Database: only one may exist
    • Application Server: two or more may exist
    • Data Collector: one or more must exist
  • Define host name and IP address schema for the deployment.
  • Update any Enterprise DNS.
  • Generate SSL certificate for the virtual IP address (VIP) of the application server.
  • Generate any other required SSL certificates as needed for the deployment.

Installation

This procedure is a continuation of Step 7c from the FMOS Configuration Wizard topic.

To configure a high availability environment, complete the following steps.

  1. Configure all required load balancing to allow the load balancer to reply for the VIP of the Application Server(s).
  2. Install the SSL certificate for the VIP on the load balancer.
    • Bind this to the traffic forwarding / load balancing profiles as required by the load balancer platform in use.

If you are terminating SSL at your load balancer, you only need to configure the SSL certificate and the public_hostname variable does not need to be specified in the Subject Alternate Name of the SSL certificate.

The first server in a HA environment must always hold the database role.

  1. Install the database server.
  2. On the Environment selection screen, select New Deployment.
  3. Select Database Only, and click OK.

After installation and deployment is complete, the database will be running PostgreSQL, available for remote connections over TCP/IP secured by TLS.

  1. Install the application server.
  2. On the Environment selection screen, select Existing Deployment, and click OK.
  3. Confirm that the FQDN resolved to the correct IP address for the database server, and the PostgreSQL client can connect over TCP/IP with TLS.
  4. From the application server, run the command: fmos ecosystem join <DB FQDN>

The fmos ecosystem join command communicates with the FMOS Server Control Panel on the superior server of the new appliance (in this case, the database server), which provides the necessary configuration settings for the new appliance (the application server). The superior server must be specified as a command line argument, using the fully qualified domain name (FQDN).

  1. To ensure secure communication with the FMOS Control Panel on the superior server, the program may prompt for manual verification of the server’s HTTPS certificate. In this case, follow the provided on-screen prompts to verify the fingerprint of the certificate before continuing.

    If the certificate fingerprint shown does not match, DO NOT allow the command to continue. This is a sign that a man-in-the middle attack is in progress. Failure to verify the correct fingerprint can expose sensitive data to malicious parties. Follow the on-screen instructions to manually verify the certificate.

  2. You will be prompted to confirm the identity of the server (in this case, application server).

  3. You will be prompted for authentication credentials. Enter the username and password for an FMOS user on the remote server who holds the FireMon Administrator privilege.

  4. After retrieving the configuration from the superior server, the program will enable the selected roles and then deploy the new configuration. Once this process completes, the application server should be running.

  5. To add additional application servers, repeat the above steps. Install FMOS and on the Environment selection screen, select Existing Deployment, and then click OK. Then join the server to the environment use the fmos ecosystem join command, specifying the database server as the superior server.
  1. Import the SSL certificate of the load balancer used in step 2 to the application server before adding any data collectors.

    1. Import using the command: fmos pki import-ca mycacert.crt

    2. For the change to take effect on the application server, the service will need to be restarted using the command: fmos restart as

Once all application servers have been joined to the environment, test reachability to the Security Intelligence Platform via the FQDN in a browser. This is a good point to validate that the implemented load balancing strategy is functional.

DO NOT continue past this point until reachability to SIP has been confirmed.

  1. To add a data collector, install FMOS and on the Environment selection screen, select Existing Deployment, and then click OK.

  2. The fmos ecosystem join command is also used to add a machine to the environment as a data collector. The machine specified as the superior server must be a server that holds the application server role. The data collector role will be automatically selected for the new machine.

    Do not use an IP configured directly on any of the servers, only use the FQDN of the VIP that is deployed on the load balancer.

  1. Data collectors require a system user account within SIP, the program will prompt for SIP credentials. Enter the username and password for an account that has write permissions granted for data collectors.

    Permissions are granted to users at the user group level. These settings are in Administration application > Access > User Groups.

  2. After retrieving the configuration from the superior server, the program will enable the selected roles and then deploy the new configuration. Once this process completes, the data collector server should be running.

 

Verify Functionality

  • Validate the SSL trust status of the application servers by verifying the certificate is being handled in the browser.
  • In SIP, verify the load balancing is behaving as expected and not causing any abnormal behavior.
    • Administration application > Settings > Security Manager > URL
  • Validate that all deployed Data Collectors are available for assignment to devices.
    • Administration application > System > Data Collectors
  • Add a few devices within the Administration application and verify that retrievals and normalization are working.
    • Administration application > Device > Devices
  • If utilizing these functions, verify that change detection and usage logging are working.
    • Security Manager application
  • Perform any other organizational specific acceptance procedures and accept the system into production.