topic Management IP in Active/passive setup in General Topics

Management IP in Active/passive setup

hh_cloudio — Thu, 12 May 2022 08:15:49 GMT

I am quite new to Palo Alto firewalls, but have worked with different vendors before.

When running a HA in Active/passive a central VIP for mgmt is usually setup, so you dont connect to the passive FW.

From what i see there is no VIP for mgmt in the HA setup i am working on here. Is that something that is setup wrong or ?

We have a dns name internally that points to one of the firewalls, but in case of failover this might end up being the passive node.

hope someone can enlighten me.

Re: Management IP in Active/passive setup

KieraMitchell — Thu, 12 May 2022 08:29:22 GMT

You are correct.
Palo Alto firewalls in HA need their own separate management IPs.

Kiki

Re: Management IP in Active/passive setup

hh_cloudio — Thu, 12 May 2022 08:31:38 GMT

So that how are people handling the management in a failover case ? just change the DNS entry or this there something easier ?

Re: Management IP in Active/passive setup

KieraMitchell — Thu, 12 May 2022 08:34:12 GMT

In most cases, each node has its own DNS name. In my lab, for example, I have

https://palo-pri.kiki.lab

https://palo-sec.kiki.lab

It's designed this way for a number of reasons, including so that each node can have its HA status controlled, reach out the internet for updates, telemetry forwarding, forward Syslog to external servers, etc.

Re: Management IP in Active/passive setup

OtakarKlier — Thu, 12 May 2022 17:07:50 GMT

Hello @hh_cloudio ,

What is the use case you are attempting to resolve? Just connecting or something else, more curious than anything?

Regards,

Re: Management IP in Active/passive setup

hh_cloudio — Mon, 16 May 2022 07:27:56 GMT

Just so in case of a failover that you allways connect to the active firewall. Its not a issue, i am just used to management via. a VIP so you allways connect to the active firewall.

Re: Management IP in Active/passive setup

JoeKwok — Mon, 16 May 2022 09:56:51 GMT

Would you means you want to access current active firewall in same IP independent of which take a active?

You can set a loopback interface and set it permits for management traffic.

Since the passive firewall data-port will not turn on, you will always access to the current active firewall through that loopback interface IP.

You may refer below link

https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/networking/configure-interfaces/use-interface-management-profiles-to-restrict-access

Re: Management IP in Active/passive setup

hh_cloudio — Thu, 19 May 2022 12:50:24 GMT

That was just what i was looking for. Thanks!

Re: Management IP in Active/passive setup

J.Dhling — Mon, 16 Feb 2026 12:27:43 GMT

I just stumbled over this. I struggle to understand how this can work. If we configure a loopback interface with an IP address on the passive firewall, how can the traffic via the active firewall reach the loopback? It has to arrive on the passive firewall on a physical port, which all are on Discard.
We're currently thinking about how to provide emergency management access on both firewalls independently, without unplugging the management port.