Remote Access on passive node of firewall ha cluster

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Remote Access on passive node of firewall ha cluster

L0 Member

Hello all,

 

I am currently configuring an HA cluster (active / passive) with the following configuration:

 

Primary (active) box: PA-820
ethernet1 / 1: 1.1.1.1/29 (external interface)
ethernet1 / 2: 192.168.0.1/24 (internal interface)
MGMT: 192.168.50.251/25 (Management interface)

 

Secondary (passive) box: PA-820
ethernet1 / 1: No IP address, as this is the secondary (passive) box.
ethernet1 / 2: No IP address, as this is the secondary (passive) box.
MGMT: 192.168.50.252/25 (Management interface)

 

The two firewall systems are located at the customer, so I have no physical access to the MGMT interface. Nevertheless, I would like to be able to administrate both (!!!) firewall systems remotely. Previous attempts to access the management port (MGMT) via a NAT or similar have failed.

 

What works is access to the primary system via VPN. The internal interface (ethernet1 / 2) is in the list of protected networks and the interface itself has been assigned the management role

 

What options do I have left?

 

An active / active HA configuration is eliminated because DHCP is needed on the firewall.

 

 

Thanks for your help!

 

Regards,

Guido

4 REPLIES 4

Cyber Elite
Cyber Elite

You can set up Panorama to manage multiple systems from a single entity, all managed systems connect into Panorama, so no need for access to the network at all

 

An alternative 'industry best practice' method would be to set up a bastion host that is dual homed so you can VPN into the network and hop onto that station to perform admin on both firewalls

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

@reaperam I missing something or the Panorama is not valid option here?

 

Even it is cluster setup (with config synchronization) Panorama needs to have access to both members.

Dedicated Mgmt interface is not reachable so the Panorama cannot use that

It is active-passive cluster so you cannot use service route through one of the dataplane interfaces.

Ideally you'd set the panorama up so it has an "in" to the oob network Either set it up locally, via a bastion proxy or via a segmented dataplane interface (via the active member)
Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Hello,

What about a VPN Tunnel to the HA pair or use Global Protect to connect?

 

Regards,

  • 4182 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!