Core (Datacentre) Firewall Migration

Planned in advance; Complete

Overview

Affected services
  • Core Firewall
Outage Time
10:00 AM, 18-Jul-20 — 10:30 AM, 18-Jul-20
At Risk Time
10:31 AM, 18-Jul-20 — 05:00 PM, 18-Jul-20
Description
CIS are migrating the Core/Datacentre Firewall to the new Fortinet Hardware as part of the Network Replacement Project. The existing rules will be transposed from old to new platform. Due to the manner of traffic flows on the firewall, the migration must happen as a single event instigated by a routing change, at which point all traffic currently flowing via the ASA firewall will be redirected towards the new FortiGate firewall.

Technical Information

Technical Information

Work summary
CIS are migrating the Core/Datacentre Firewall from the existing ASA Hardware to the new Fortinet Hardware as part of the Network Replacement Project. A like for like copy of the existing rules is being transposed from old to new platform. Due to the manner of traffic flows on the firewall, the migration must happen as a single event instigated by a routing change, at which point all traffic currently flowing via the ASA firewall will be redirected towards the new FortiGate firewall.
Technical summary
Core (Datacentre) Firewall Migration
Affecting
All services hosted on the Core/Datacentre Firewall
Servers / Hardware
Core Datacentre Firewall
Criticality
high
Expected impact
In the same manner as the Perimeter Firewall migration in March, we anticipate that the vast majority of services will see no obvious impact as traffic reroutes through the new firewall. There will be a break of a few seconds to allow for the routing change and while devices ARP for the new default gateway. Every effort has been made to avoid errors during the code migration, however the complexity of the firewall is such that we may encounter problems with specific rules. In these cases we will require services owners to inform the CIS project team this has occurred so investigation can commence. The intention will be to fix rather than roll back in these cases. Any on-going disruption to services or applications which is confirmed not to be related to a rule set problem, will likely stem from the ability of the app/service to handle/recover from this network redirection - the OS should spot the change in hardware address of the firewall and will start to re-build its ARP table. Service owners may be aware of these instances from previous Firewall activity. In the unlikely event we encounter serious problems with traffic flow through the new firewall, this will be apparent very quickly. CIS will reverse the routing change and roll back to the existing firewall. Successful migration to the Perimeter Firewall in March this year has given confidence this won't occur.
Change Reference
To Be Confirmed
Additional comments

Request, Authorise and Publish

Requested by Richard Goodall on 26-Jun-2020
Authorised by CIS
Publish to IS Website (Service Status and Alerts page): Yes
Published by Wassim Demnati


Additional Details

Risk classification
medium
Risk assessment
There will be disruption to data centre services briefly. This is known and the appropriate staff will be on hand to check and restore services where necessary There is a good rollback procedure.
Other people involved
CIS, Enterprise, Apps, College IT staff
Notes for future reference