Migrating a dynamic routing configuration from BIRD v1 to BIRD v2
Products concerned: SNS 4.8.1 LTSB and upwards
As of SNS version 4.8.1, the BIRD v2 dynamic routing engine will be supported, and replaces BIRD v1, which has become obsolete.
When you upgrade to SNS version 4.8.1 a firewall with a configuration that initially used BIRD v1 dynamic routing, BIRD v1 will remain active even after the firmware has been updated.
This is because your configuration cannot be automatically transferred from BIRD v1 to BIRD v2, as the syntax used in the BIRD v2 dynamic routing configuration file is different from the syntax in BIRD v1.
One of the major changes is that in BIRD v2, IPv4 and IPv6 dynamic routing settings have been grouped into a single bird.conf file, unlike BIRD v1, which uses two separate files: the same bird.conf file for IPv4 and the bird6.conf file for IPv6.
The Dynamic routing module in SNS versions 4.8.1 and higher has been designed to assist you in the migration operation.
IMPORTANT
If your SNS firewall pool is managed by an SMC server, it will no longer be possible to manage dynamic routing on your firewalls in 4.8.1 versions and higher from SMC in version 3.6 and below.
Understanding the Dynamic routing module
Go to Configuration > Network > Dynamic routing.
This module contains three tabs in which either version of BIRD can be enabled/disabled and configured.
NOTE
When one version of BIRD is disabled, the corresponding configuration tab will show the suffix "(INACTIVE)".
Example: BIRD v2 (INACTIVE).
General tab
This option allows you to enable/disable the desired version of the BIRD dynamic routing engine.
After SNS firewalls in a version lower than SNS 4.8.1 are updated to SNS version 4.8.1 or higher, the configuration will be as follows:
- BIRD v2: this radio button is selected by default.
- BIRD v1: this radio button will be selected if the firewall was initially configured only in IPv4, and if its IPv4 BIRD v1 configuration was active prior to the firmware update.
The following radio buttons will appear only if the firewall was initially configured in IPv4 and IPv6:- IPv4: this radio button is selected for firewalls on which only an IPv4 BIRD v1 configuration was active prior to the firmware update.
- IPv6: this radio button is selected for firewalls on which only an IPv6 BIRD v1 configuration was active prior to the firmware update.
- IPv4 and IPv6: this radio button is selected for firewalls on which IPv4 and IPv6 BIRD v1 configurations were active prior to the firmware update.
If you want the routes that were learned by BIRD to be automatically added to the table of protected networks, thereby preventing these networks from wrongly raising antispoofing alerts, select these checkboxes (depending on your configuration):
- Add IPv4 networks distributed via dynamic routing to the table of protected networks.
- Add IPv6 networks distributed via dynamic routing to the table of protected networks.
BIRD v2 tab
This tab shows:
- On the left side of the screen: a minimalist BIRD v2 configuration frame containing the basic mandatory sections,
- On the right side of the screen: the firewall's original BIRD v1 configuration (IPv4 and/or IPv6).
This section also allows you to modify the firewall’s BIRD v2 configuration and validate it.
IPv4 BIRD v1 tab
This tab shows the original configuration on the firewall for the IPv4 dynamic routing managed by BIRD v1.
This section also allows you to edit and validate the configuration.
Optional IPv6 BIRD v1 tab
This tab shows the original configuration on the firewall for the IPv6 dynamic routing managed by BIRD v1.
This section also allows you to edit and validate the configuration.
It looks exactly like the IPv4 BIRD v1/IPv4 BIRD v1 (INACTIVE) tab.
Verification console
When you click on the Check configuration button in one of the BIRD configuration tabs shown below, the verification console located at the bottom of the screen shows the syntax errors encountered, if any.
Errors are identified in the console by their line numbers and column numbers. Line numbers that contain errors are also highlighted in red in the configuration:
Migrating from BIRD v1 to BIRD v2
Stormshield recommends that you follow the method below:
Preparing the BIRD v2 configuration
- Go to the BIRD v2 (INACTIVE) tab.
- By following the BIRD v2 configuration syntax, transpose the information from your BIRD v1 configuration (window on the right) to the BIRD v2 configuration (window on the left) in stages. As a reminder, in BIRD v2, IPv4 and IPv6 dynamic routing settings have been grouped into a single bird.conf file, unlike BIRD v1, which uses two separate files: the same bird.conf file for IPv4 and the bird6.conf file for IPv6.
- While you are making changes to the configuration, click regularly on the Check configuration button after the changes are made.
At the bottom of the screen, the consistency checker will show you the syntax errors found in the BIRD v2 configuration.
You cannot save configurations that contain syntax errors. - When changes to the BIRD v2 configuration are made and validated (no errors shown in the Verification console), save the configuration by clicking on Apply, then Save.
This operation creates a version of the BIRD v2 configuration that can be restored. If changes are made later to the BIRD v2 configuration, and you are unable to fix a configuration/syntax issue, the configuration at this stage can be restored by clicking on Go back to saved configuration. - When the migration operation is complete, and you have saved your BIRD v2 configuration, you can enable BIRD v2 to check whether dynamic routing is running properly.
If you require assistance in this task, refer to the available resources, notably the BIRD v2 user guide published by BIRD, and the BIRD 1.6 to BIRD 2.0 transition notes.
Checking the operation of dynamic routing
After you have enabled BIRD v2, if you detect issues with the way dynamic routing is running:
- In the General tab, disable BIRD v2 and enable BIRD v1 again to return to the state of the configuration before BIRD was migrated.
You can then fix your BIRD v2 configuration, while BIRD v1 dynamic routing configuration remains active. - Enable BIRD v2 again once the configuration has been fixed.
These operations can be repeated as often as required.