Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

Building Firewall Clusters in NSM



Article ID: KB12459 KB Last Updated: 11 Feb 2011Version: 2.0
There are many ways to build a cluster of firewall devices in NSM.

This article will outline the preferred method.

Sometimes, the creation of a firewall cluster in NSM can lead to NSM making unexpected changes in configuration to the members of the cluster.

The problem is most acute if the cluster is created and initially only the master member is created and imported into NSM.
Often times, the master member will be brought into NSM and managed for some period prior to bringing in the backup member.
If the backup member is only configured with a management IP and then just imported into NSM as a cluster member, NSM will overwrite its own cluster settings with those of the new device.
This is because NSM uses the most recent import device as the basis for the cluster settings.
Thus, a subsequent update to the cluster will push unwanted changes to the existing master and push no changes to the new member.

The following workflow presents the best practices method for adding the second cluster member to NSM.

Refer to KB7248 for steps with screenshots; however, refer to these steps for best practices.
  1. Create the cluster object in NSM (Click the Plus sign shown below to bring up the menu)
  2. This will define the device type, ScreenOS version and whether the devices are in transparent mode.
    Create Cluster

  3. Create the cluster members as modeled devices. (Select the new cluster and then click the + button again. This time, select "Cluster Member" )
  4. Name the member and select Modeled Device
    Member Create

  5. Configure all the desired settings for the cluster in NSM at the Cluster and Member level as needed.
  6. These would include Cluster ID, Cluster Name if desired, Admin Name, IP Address for management, Application of Template, etc.

  7. Configure NSRP on the devices such that they have enough information to create the cluster between themselves and reach NSM.
  8. This includes matching the IP address used for management (talking back to NSM), and cluster ID.
    This step is critical in that NSM will reject devices as cluster members if they are not configured in clusters to begin with.
    Ensure that the devices can ping the NSM server through the management interface.
    NOTE: This is the most often observed point of failure, especially if there is already a master cluster member in NSM. Users often attempt to bring in the other cluster member with no configuration whatsoever. This causes NSM to overwrite its own cluster settings with those of the newly added device. Subsequent pushes to the cluster will unset needed config info and likely cause traffic outages.

  9. Activate the cluster members in NSM.
  10. Use either the device reachable or device unreachable workflow.
    The devices will be brought into NSM.

  11. Update the cluster members from NSM.
  12. Perform either an automatic update during the import procedure, or click exit to update the devices later after viewing the Summarize Delta Config.
    The first update will cause all of the current cluster and member settings to be pushed out to the device.

  13. Complete any further configuration required in NSM.

  14. Update the devices from NSM again.
Case ID
Case Summary


Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search