https://live.paloaltonetworks.com/t5/general-topics/remote-access-on-passive-node-of-firewall-ha-cluster/m-p/278028#M75544 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/7608">@reaper</a>am I missing something or the Panorama is not valid option here?</P><P>&nbsp;</P><P>Even it is cluster setup (with config synchronization) Panorama needs to have access to both members.</P><P>Dedicated Mgmt interface is not reachable so the Panorama cannot use that</P><P>It is active-passive cluster so you cannot use service route through one of the dataplane interfaces.</P> Mon, 22 Jul 2019 07:58:54 GMT aleksandar.astardzhiev 2019-07-22T07:58:54Z https://live.paloaltonetworks.com/t5/general-topics/remote-access-on-passive-node-of-firewall-ha-cluster/m-p/277704#M75485 <P>Hello all,</P><P>&nbsp;</P><P>I am currently configuring an HA cluster (active / passive) with the following configuration:</P><P>&nbsp;</P><P>Primary (active) box: PA-820<BR />ethernet1 / 1: 1.1.1.1/29 (external interface)<BR />ethernet1 / 2: 192.168.0.1/24 (internal interface)<BR />MGMT: 192.168.50.251/25 (Management interface)</P><P>&nbsp;</P><P>Secondary (passive) box: PA-820<BR />ethernet1 / 1: No IP address, as this is the secondary (passive) box.<BR />ethernet1 / 2: No IP address, as this is the secondary (passive) box.<BR />MGMT: 192.168.50.252/25 (Management interface)</P><P>&nbsp;</P><P>The two firewall systems are located at the customer, so I have no physical access to the MGMT interface. Nevertheless, I would like to be able to administrate both (!!!) firewall systems remotely. Previous attempts to access the management port (MGMT) via a NAT or similar have failed.</P><P>&nbsp;</P><P>What works is access to the primary system via VPN. The internal interface (ethernet1 / 2) is in the list of protected networks and the interface itself has been assigned the management role</P><P>&nbsp;</P><P>What options do I have left?</P><P>&nbsp;</P><P>An active / active HA configuration is eliminated because DHCP is needed on the firewall.</P><P>&nbsp;</P><P>&nbsp;</P><P>Thanks for your help!</P><P>&nbsp;</P><P>Regards,</P><P>Guido</P> Fri, 19 Jul 2019 10:55:52 GMT https://live.paloaltonetworks.com/t5/general-topics/remote-access-on-passive-node-of-firewall-ha-cluster/m-p/277704#M75485 GuidoKramer 2019-07-19T10:55:52Z https://live.paloaltonetworks.com/t5/general-topics/remote-access-on-passive-node-of-firewall-ha-cluster/m-p/277727#M75490 <P>You can set up Panorama to manage multiple systems from a single entity, all managed systems connect into Panorama, so no need for access to the network at all</P> <P>&nbsp;</P> <P>An alternative 'industry best practice' method would be to set up a bastion host that is dual homed so you can VPN into the network and hop onto that station to perform admin on both firewalls</P> Fri, 19 Jul 2019 12:05:37 GMT https://live.paloaltonetworks.com/t5/general-topics/remote-access-on-passive-node-of-firewall-ha-cluster/m-p/277727#M75490 reaper 2019-07-19T12:05:37Z https://live.paloaltonetworks.com/t5/general-topics/remote-access-on-passive-node-of-firewall-ha-cluster/m-p/278028#M75544 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/7608">@reaper</a>am I missing something or the Panorama is not valid option here?</P><P>&nbsp;</P><P>Even it is cluster setup (with config synchronization) Panorama needs to have access to both members.</P><P>Dedicated Mgmt interface is not reachable so the Panorama cannot use that</P><P>It is active-passive cluster so you cannot use service route through one of the dataplane interfaces.</P> Mon, 22 Jul 2019 07:58:54 GMT https://live.paloaltonetworks.com/t5/general-topics/remote-access-on-passive-node-of-firewall-ha-cluster/m-p/278028#M75544 aleksandar.astardzhiev 2019-07-22T07:58:54Z https://live.paloaltonetworks.com/t5/general-topics/remote-access-on-passive-node-of-firewall-ha-cluster/m-p/278048#M75547 Ideally you'd set the panorama up so it has an "in" to the oob network Either set it up locally, via a bastion proxy or via a segmented dataplane interface (via the active member) Mon, 22 Jul 2019 10:31:03 GMT https://live.paloaltonetworks.com/t5/general-topics/remote-access-on-passive-node-of-firewall-ha-cluster/m-p/278048#M75547 reaper 2019-07-22T10:31:03Z https://live.paloaltonetworks.com/t5/general-topics/remote-access-on-passive-node-of-firewall-ha-cluster/m-p/278222#M75575 <P>Hello,</P><P>What about a VPN Tunnel to the HA pair or use Global Protect to connect?</P><P>&nbsp;</P><P>Regards,</P> Mon, 22 Jul 2019 21:45:47 GMT https://live.paloaltonetworks.com/t5/general-topics/remote-access-on-passive-node-of-firewall-ha-cluster/m-p/278222#M75575 OtakarKlier 2019-07-22T21:45:47Z