Link Redundancy on Tufin Appliances

This procedure is supported for TufinOS 4.30 and above.

For appliances with two network interfaces, NIC bonding renders the two physical interfaces as one virtual interface. This creates link redundancy, allowing one of the interfaces to take over in case of failure or disruption of the primary Ethernet link.

Note that this failover mechanism will be effective in cases with a single point of failover but may not work if there are simultaneous network failures.

Prerequisites

• Log in as a root user with the root user environment variables. Regular users can use sudo su - to become root users. If the sudo command is not configured, use su -.

• This procedure cannot be performed in environments where TOS is already installed. If you are currently running TOS, you must uninstall it by following the instructions in Step 1 of your desired procedure.

Configure Network Bond Interface

In this procedure, you will use the nmtui tool to add a network bond interface.

1. If you already have TOS installed, uninstall it safely by performing the following:
   • Create a full backup
   • Export your backup and place it in an offline location
   • Uninstall

   At the end of the procedure, you will be prompted to reinstall TOS.

2. Determine the first two network interfaces for network bond. Connect via SSH to your machine and run:

   /opt/tufinos/scripts/network_interface_by_pci_order.sh | grep "NET_IFS" | head -n2
                       /opt/tufinos/scripts/network_interface_by_pci_order.sh | grep "NET_IFS" | head -n1

   /opt/tufinos/scripts/network_interface_by_pci_order.sh | grep "NET_IFS" | head -n2

   The names of the existing interfaces are displayed. Note the names of the interfaces as you will need them for the procedure.

3. Disconnect from the SSH connection and continue with the procedure via RMM or a monitor connected to TTY.

   Do not attempt to perform the rest of the procedure with SSH. Once the configuration is applied, you will lose connectivity to the machine.

3. Start nmtui.

   nmtui

   nmtui

   The NetworkManager TUI screen appears.

   

   nmtui usage tips:

   • Navigate by using the arrow keys.
   • Press a button by selecting it and pressing Enter on your keyboard.
   • Select and clear checkboxes by pressing the space bar on your keyboard.

4. Select Edit a connection, and press Ok.

5. Press Add.

   

6. From the list of connection types, select Bond and press Enter.

   The Edit Connection screen appears.

7. Enter:

   Profile name: <meaningful profile name, for example: bond0>

   Device: <port's device name>

   

   On hosts with multiple profiles, a meaningful name makes it easier to identify the purpose of a profile.

8. Add ports to the bond to be created:

   1. From the list to the left of the Slaves box, select Add.

   2. From the New Connection dialog box, select Ethernet as the connection type.

      The Edit Connection screen appears.

   3. Enter:

      Profile name: <meaningful profile name, for example: bond0-port1>

      Device: <the name of your first network interface that you wrote down in the Prerequisites>

   4. Press OK to return to the window with the bond settings.

   5. Repeat steps a-d to add the second port, with the following details:

      Profile name: <meaningful profile name, for example: bond0-port2>

      Device:<the name of your second network interface that you wrote down at the beginning of the procedure>

9. Set the bond properties:

   

   Mode: Active Backup

   Primary: <name of first network interface>

   Link Monitoring: MII (recommended)

   Monitoring frequency: 100 ms

   Link up delay: 0 ms

   Link down delay: 0 ms

10. Configure the IP address settings in the IPv4 CONFIGURATION.

    1. Select Manual and Show.

       

       The Manual configuration options appear.

    2. Configure according to your network requirements.

11. Press OK to create.

    The new connection is activated.

12. Press Back to return to the main menu.

13. Deactivate the first network connection:

    1. Select Activate a Connection.

       

    2. Select the first network interface that supplied the machine connectivity, press the right arrow button, and press Deactivate.

14. Make sure the bond0 interface is activated. It should have the “*“ character before the name.

    

    Activate the bond0 interface if it is not activated.

15. Press Back to return to the main menu.

16. Select Quit to close the nmtui application.

17. If you uninstalled TOS at the beginning of this procedure, reinstall it now.

Verification

1. Temporarily remove the network cable from one of the network devices and check if the other device in the bond handles the traffic.

   Note that software utilities are not the proper way to test link failure events. Tools that deactivate connections, such as nmcli, show only the bonding driver’s ability to handle port configuration changes and not actual link failure events.

2. Display the status of the bond:

   cat /proc/net/bonding/bond0

   cat /proc/net/bonding/bond0

   Output example

   Ethernet Channel Bonding Driver: v3.7.1 (April 27, 2011)
   Bonding Mode: fault-tolerance (active-backup)
   Primary Slave: eno12399np0 (primary_reselect always)
   Currently Active Slave: eno12399np0
   MII Status: up
   MII Polling Interval (ms): 100
   Up Delay (ms): 0
   Down Delay (ms): 0
   Peer Notification Delay (ms): 0
   
   Slave Interface: eno12409np1
   MII Status: down
   Speed: Unknown
   Duplex: Unknown
   Link Failure Count: 0
   Permanent HW addr: 04:32:01:46:eb:e1
   Slave queue ID: 0
   
   Slave Interface: eno12399np0
   MII Status: up
   Speed: 1000 Mbps
   Duplex: full
   Link Failure Count: 0
   Permanent HW addr: 04:32:01:46:eb:e0
   Slave queue ID: 0

Delete Network Bond Interface

In this procedure, you will use the nmtui tool to remove a network bond interface.

1. If you already have TOS installed, uninstall it safely by performing the following:
   • Create a full backup
   • Export your backup and place it in an offline location
   • Uninstall

   At the end of the procedure, you will be prompted to reinstall TOS.

2. Determine the first network interface by running the following script.

   /opt/tufinos/scripts/network_interface_by_pci_order.sh | grep "NET_IFS" | head -n1

   /opt/tufinos/scripts/network_interface_by_pci_order.sh | grep "NET_IFS" | head -n1

3. Disconnect from the SSH connection and continue with the procedure via RMM or a monitor connected to TTY.

   Do not attempt to perform the rest of the procedure with SSH. Once the configuration is applied, you will lose connectivity to the machine.

4. Start nmtui.

   nmtui

   nmtui

   The NetworkManager TUI screen appears.

   

5. Select Edit a connection, and press Ok.

6. Select the interface you wish to delete, press the right arrow button, select Delete, and press Enter.

7. Select the first network interface name that you located in Step 1. Press the right arrow button, select Edit and press Enter.

8. Configure the IP address settings in the IPv4 CONFIGURATION according to your requirements.

9. Press OK.

10. Press Back to return to the main menu.

11. Select Activate a Connection.

    

11. Select the first network interface and press Activate.

    

12. Press Back to return to the main menu.

13. Select Quit, and press Enter to close the nmtui.

14. If you uninstalled TOS at the beginning of this procedure, reinstall it now.