Chapter 1: Overview

	Hardware Replacement Guide for NetWall Firewalls	Next

	Note: This document is also available in other formats
A PDF version of this document along with all current and older documentation in PDF format can be found at https://my.clavister.com. It is also available as a single HTML page.

Note: This document is also available in other formats

A PDF version of this document along with all current and older documentation in PDF format can be found at https://my.clavister.com.

It is also available as a single HTML page.

This guide covers replacement of Clavister NetWall hardware in a number of different scenarios. Replacement is usually required as a result of a hardware failure or because of a need to upgrade hardware capabilities.

The aim of the procedures described is to have the cOS Core version as well as the cOS Core configuration from the old hardware unit replicated on the replacement unit.

Cold Standby or Manual Replacement

Clavister offers a Cold Standby Replacement service where Clavister can send an identical hardware unit to replace an existing standalone unit that has failed (this is not applicable to cluster hardware. This service is described in Chapter 2, Cold Standby Service.

The other chapters in this guide describe the manual replacement procedure when not using the cold standby service.

Relevant Software Versions

The procedures described in the document are applicable for 9.nn versions of CorePlus or 10.nn versions of cOS Core or later. They are not applicable to Clavister software earlier than CorePlus 9.nn.

In its descriptions, this document will only refer to cOS Core but the same procedures can be applied to CorePlus.

Replacement Hardware Assumptions

It is assumed that the replacement hardware is a unit that has the original "factory default" settings. This may be brand new hardware from the factory but it might also be older hardware that has been manually reset to its factory defaults. In either case, it is important that the hardware is capable of running the required cOS Core version.

Mapping Old Interface Names to New Interfaces Names

If the new hardware is different from the old hardware it replaces, there are two conditions that can occur:

The interface names of the new hardware differ from the names in the old hardware.
The new hardware can have a lesser or greater number of interfaces than the old.

There are two ways to map the interfaces in the old configuration to the interfaces in the new configuration:

Use the Hardware Migration Wizard Tool

The Hardware Migration Wizard is downloadable from the https://my.clavister.com website as a separate, standalone software tool. It is applicable to all Clavister hardware models and helps to automate the process of mapping old to new interfaces. It is fully described in Appendix A, Wizard Interface Mapping.

The wizard works by taking a backup of the old configuration as input and creating a new backup file as output with the desired interface mapping between old and new hardware. Using the wizard is the recommended method of mapping interfaces.

	Note: The wizard is also integrated into InControl
	The wizard is also integrated into InControl so that interface reassignment can be done while setting up a replacement firewall in InControl. This is discussed further in the Dissimilar Hardware Replacement chapter of the separate InControl Administration Guide.

Reassign Interfaces Manually

As an alternative to the wizard, the mapping of interfaces can be done manually after uploading a configuration backup from the old system to the new hardware but before activating it. This is described in Appendix B, Manually Mapping Interfaces.

Standalone and Cluster Replacement

There are two other important types of replacement scenario covered:

Replacement of a Clavister hardware unit that is "standalone" which means it is a single hardware unit that is not part of a cOS Core high availability (HA) cluster. The replacement hardware may also have a different number of interfaces with different logical names.
Replacement of one of the two identical hardware units in a cOS Core high availability cluster with another identical hardware unit.

Attempts at replacement of one cluster node with hardware that is not identical is never recommended as it presents complex technical and operational issues when two hardware models are mixed. If different replacement hardware must be used, it is recommended to change both cluster units to the same, new hardware model.

Replacement Using the InControl Zero Touch Feature

The Zero Touch feature in the Clavister InControl product provides a simple way to replace hardware with an identical model, providing that the old hardware was already under InControl management. The feature can automatically install the correct license, cOS Core version and old cOS Core configuration in the replacement unit. However, only certain hardware models can make use of this feature. This topic is discussed further in the Zero Touch chapter of the separate InControl Administration Guide.

Replacing Non-Clavister Hardware

Although this publication has been written on the assumption that a Clavister hardware product is being replaced, the procedures described could be adapted to situations where a non-Clavister hardware platform that is running cOS Core needs to be replaced.

Common Steps in All Replacement Procedures

There are a number of key steps which are common to all manual replacement procedures (where InControl is not used). The following list summarizes these:

The old hardware unit must be physically swapped out and the new hardware powered on.
The new hardware's default management interface IP and network should be changed if this is required. (Described in Appendix C, Management Interface Setup).
The cOS Core version running on the new unit may have to be changed if required. This is best done by uploading a full system backup (not just a configuration backup) taken from the old hardware if one is available.
The configuration backup from the old hardware is uploaded to the new hardware.

If the new hardware model differs from the old hardware and has different interface names then a mapping of the old to the new names will need to be done in one of two ways:
1. The Hardware Migration Wizard is first used to convert the configuration backup from the old hardware to a new backup file before uploading to the new hardware. Interface reassignment is performed in the wizard. (Described in Appendix A, Wizard Interface Mapping).
2. Or the configuration backup from the old hardware is first uploaded to the new hardware. Any interface reassignment is then done manually using CLI commands before the uploaded configuration is activated. (Described in Appendix B, Manually Mapping Interfaces).
Lastly, a new license needs to be installed on the new hardware.

Determining the Service Tag and Serial Number Through InControl

Sometimes the Service Tag and Serial Number for a hardware appliance are needed for the replacement procedure. Normally, these are found written on the unit.

However, sometimes these details are required for a remote unit that is not easily accessible. Provided the hardware in question is under centralized control by the Clavister InControl management software, this information can be found in the tooltip window that is displayed when mousing over the firewall in InControl's Firewalls tab. Below is a screenshot showing an example of this.