Remote Access on passive node of firewall ha cluster

Reply
L0 Member

Remote Access on passive node of firewall ha cluster

Hello all,

 

I am currently configuring an HA cluster (active / passive) with the following configuration:

 

Primary (active) box: PA-820
ethernet1 / 1: 1.1.1.1/29 (external interface)
ethernet1 / 2: 192.168.0.1/24 (internal interface)
MGMT: 192.168.50.251/25 (Management interface)

 

Secondary (passive) box: PA-820
ethernet1 / 1: No IP address, as this is the secondary (passive) box.
ethernet1 / 2: No IP address, as this is the secondary (passive) box.
MGMT: 192.168.50.252/25 (Management interface)

 

The two firewall systems are located at the customer, so I have no physical access to the MGMT interface. Nevertheless, I would like to be able to administrate both (!!!) firewall systems remotely. Previous attempts to access the management port (MGMT) via a NAT or similar have failed.

 

What works is access to the primary system via VPN. The internal interface (ethernet1 / 2) is in the list of protected networks and the interface itself has been assigned the management role

 

What options do I have left?

 

An active / active HA configuration is eliminated because DHCP is needed on the firewall.

 

 

Thanks for your help!

 

Regards,

Guido

Community Manager

Re: Remote Access on passive node of firewall ha cluster

You can set up Panorama to manage multiple systems from a single entity, all managed systems connect into Panorama, so no need for access to the network at all

 

An alternative 'industry best practice' method would be to set up a bastion host that is dual homed so you can VPN into the network and hop onto that station to perform admin on both firewalls


Help the community: Like helpful comments and mark solutions
Reaper out

Re: Remote Access on passive node of firewall ha cluster

@reaperam I missing something or the Panorama is not valid option here?

 

Even it is cluster setup (with config synchronization) Panorama needs to have access to both members.

Dedicated Mgmt interface is not reachable so the Panorama cannot use that

It is active-passive cluster so you cannot use service route through one of the dataplane interfaces.

Community Manager

Re: Remote Access on passive node of firewall ha cluster

Ideally you'd set the panorama up so it has an "in" to the oob network Either set it up locally, via a bastion proxy or via a segmented dataplane interface (via the active member)

Help the community: Like helpful comments and mark solutions
Reaper out
L7 Applicator

Re: Remote Access on passive node of firewall ha cluster

Hello,

What about a VPN Tunnel to the HA pair or use Global Protect to connect?

 

Regards,

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!