How To Synchronize Configurations
This feature allows, in a multi-appliance configuration, to synchronise configuration parameters between those appliances. The replication has an architecture multi-master, that means that each appliance will be able to communicate/receive the changes on the configuration to/from the other appliances but only one will start the broker to hold the messages. The next figure shows a multi-appliance configuration with the communication with the broker. In this case the broker is embedded in one of the appliances but the behavior will be the same:
The sections that can be replicated are:
- Repository > Groups
- Repository > Attributes
- Policy > All sections
Configuration Parameters screen
Please go to Configuration Parameters to see configuration parameters in detail.
Suppose the next configuration:
The configuration parameters on each appliance will be the below (the appliances will have the same secret defined):
Swivel Core A
When the broker has started the information message: ‘Sync broker has been started’ will be displayed and when the Synchronise configuration is activated “Connected” will be shown:
Swivel Core B
NOTE: If we try to start a broker in that machine, an error message will be shown because another broker is started in the same machine in the same port (in that case Swivel Core A):
Swivel Core C
NOTE: By default the IP that appears is the current IP, in that case 192.168.0.151. If the ‘Synchronise configuration’ is activated with that IP an error message is shown to indicate that it's not possible to establish the connection:
There are 3 synchronisation types:
This drop-down list only will appear on the sections mentioned before if 'synchronise configuration' is true.
The changes applied in the section will be synchronised with the other appliances whose section is configured as Automatic or Manual. Also the current appliance will be able to receive messages of synchronization about that section and they will be processed. With this option, the button 'Sync now' is shown which allows to replicate the whole section, not only the changes.
NOTE: If a section, e.g. groups has more groups than the other appliances, if a new group is added this will not be created in the other appliances. In the sections repository groups and repository attributes if the repositories are different in the other sections, the value of the repository will not be updated.
The changes applied in the section will NOT be synchronised but the current appliance will be able to receive messages of synchronisation about that section and they will be processed. In that case, the synchronisation only will be able to be done with the button ‘Sync now’.
The changes applied in the section will NOT be synchronised. The synchronisation messages received about that section will be discarded and the button 'Sync now' will NOT be shown.
NOTE: if the shared secret defined in the appliance that receives the message is different than whose appliance that sent it, the message will be discarded independently of the sync type.
To replicate the changes done in a section this should be configured with the sync type Automatic. There are 2 kinds of section, one that generate the parameters dynamically (Groups, Attributes, PolicyBanned Credentials) and others that have static parameters. For the first ones the changes can be: update, remove or create and for the second ones only update.
- Sections with static parameters
The changes applied on the parameter in a section with sync type Automatic will be synchronise with the other appliances.
- Sections with dynamic parameters
If the sections have different number of parameters only the attributes with the same position that in the section to sync will be updated/remove and in one immediately position after will be created.
NOTE: Attributes and groups sections have repository parameters. If the repositories are different the value of the repositories will not be updated.
Replicate the whole section
In the sections to synchronise, if the configuration synchronisation is activated and the sync type is Manual or Automatic, the button ‘Sync now’ is shown which allows to synchronise the whole section with the other appliances, configured with the sync type Automatic or Manual, rather than only the changes applied.
Detect state broker and reconnection
Below is shown the flow of reconnection:
- Appliance A starts the broker and connects with the broker. In the status screen these new parameters will be shown:
- State local sync broker: Indicates the broker's state. If the broker coul not be started for some reason the state of the broker will be Inactive
- Configuration sync state connection: Indicates the status of the connection with the broker. Only appears if the appliance is configured to synchronise the configuration.
- ApplianceB connects with the broker (synchronise configuration is activated). In the status screen the parameter ‘State connection sync configuration’ will be shown.
- Appliance A (Broker) shuts down
- ApplianceB detects that broker is down and every x seconds (time configured in the configuration parameters screen) try to reconnect. In the status screen the parameter ‘State connection sync configuration’ will be disconnected.
- During this period if it is tried to send sync data of a section an error message will be shown:
- Appliance A and the broker start up again.
- Appliance B reconnects with the broker. In the status screen the parameter ‘State connection sync configuration’ will be connected.
Detection out of synchronisation
To detect if the sections are synchronised, the appliance configured as a broker and with the synchronisation activated, will send messages with a checksum of the sections, configured with a type sync "Manual" or "Automatic" (except groups and attributes due to if they have different number of repositories the state will be always ‘No synchronised’). Those messages will be sent periodically to the other appliances. The other appliances when receive the messages with the checksums will compare with their section’s checksums to know if they are synchronised or not.
In the appliances that do not act as a broker the information showed in the status screen will be the following:
- Configuration sync status, last check: Indicates the date and time the last check of the synchronization status.
- Section > Group: Indicates if the group is synchronised. E.g. Policy > General : Synchronised.
It’s a link to access to the section screen.
NOTE: if the shared secret defined in the appliance that receives the status message is different than then appliance that sent it, the message will be discarded.