Device initiated InControl management of NetWall HA clusters with a single public IP

Last modified on 31 Mar, 2022. Revision 23
How to set up device initiated InControl management of a NetWall HA cluster over the Internet using a single public IP address.
Supported since
Status OK

This how-to applies to:

Clavister cOS Core 11.10 and later.

I want to add a remote HA cluster to InControl over the Internet but I don’t have enough public IP addresses to assign each cluster node its own public IP for management.

By using the Device Initiated option in a cOS Core InControl Management (Netcon) object, allowing the cluster nodes to call home to the InControl server instead of vice versa, an HA cluster can be added to InControl over the Internet without the need for assigning a public IP address to each firewall in the cluster.

To achieve this, the connections must be initiated from one interface and received on another before it can be passed on by the active node to the next-hop router. These two interfaces must be isolated from each other by assigning them to separate routing tables.

In this how-to, the interface initiating the connection to the InControl server will be called ge2, the receiver interface will be called gesw and the extra routing table will be called incontrol.

How to set this up:

  1. Create a new routing table with ordering set to Only, in this example the table is called incontrol.
  2. Locate an unused interface, in this example this will be the ge2 interface.
    Configure ge2 with both shared and HA IPs with addresses from the same subnet used on the gesw interface.
    Under the Virtual Routing tab, check Make interface a member of a specific routing table. and select the incontrol table.
    This is the interface we will be using for initiating the connection.

  3. Likewise on the gesw interface, select the main table. By setting Make interface a member of a specific routing table, we make sure that ARP traffic will be handled in the correct routing table for the respective interface.

  4. Add and verify the routes in main and incontrol routing tables, the gateway for the default route in the incontrol table will be the shared IP on the gesw interface.

  5. Configure the InControl Management object for Device Initiated and for Outgoing Routing Table, select the incontrol table, as shown below.

  6. Make sure you have an IP policy NATing the Netcon traffic received on the gesw interface out on WAN, and don't forget to physically connect ge2 and gesw to the same broadcast domain.

A further discussion of using Device Initiated connections to an InControl server can be found on the InControl Administration Guide.

Related articles

Automatic scheduled backup of InControl server database
5 Feb, 2021 incontrol howto backup windows