- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
01-04-2021 10:13 AM
Hello,
We have 3200 series HA cluster .
The requirement is to change the ip addrrss of management interface of both the nodes.
( Note we are not changing the ip address of panorama )
All the required rules and routes are in place .
Can we change the ip address remotely while still logging through the management interface ( old ip).
Via the command line if we change the ip and gateway ( via a single command) , we may get the disconnect ion momentarily ? But if everything else seems to be in place like proper port settings and routing etc to reach new management range , it should work ?
We want to avoid going to DC as of restrictions .( For console access)
Can anyone suggest a way to change the managment ip of cluster nodes remotely? Which node to do first secondary ?
Also after changing the node managemebt ip addresses, what change we have to do in panorama to reflect new ip addresses ?
If anyone has procedure pls share
01-05-2021 06:27 AM - edited 01-05-2021 06:37 AM
Hi @FWPalolearner ,
There is a lot of comments, not sure if I get everything but:
- What version is your FW and Panorama? If you are running 9.1 you probably can rely on the feature Automated Commit Recovery We still run on 9.0 so I haven't test this feature, but in theory this show work great for your case:
1. Enable the autmatic recovery
2. Push the new mgmt IP from Panorama. If there are any issues with the new mgmt FW will loose access with Panorama and the recovery process should kick in.
- In general you don't have to do anything on the Panorama once you change FW mgmt IP. This is because the Panorama is using serial number to track the FWs. When you configure FW with panorama IP, it will attempt to register to Panorama. By default panorama will accept any source IP and will try to establish the TCP/SSL connection, it will ask for SN and if the provided SN is already added to Panorama it will accept the fw request and complete the registration. So in your case once you change the mgmt ip, the fw will generate new tcp session with the new source, panorama will establish this session and will see that the SN is the same as the one already registered and will automatically update the IP under the "manage devices"
Similar to the FW you can configure permit IP list to specify which IP address are allowed to connect to Panorama, if nothing is defined panorama will accept anything. So if you have anything configured under the permit ip, make sure you have included the new mgmt ip/range
- You cannot ssh to member over the HA link. Even if you receive password prompt, the firewall will not allow you to connect.
- As falback you can configure the the mgmt profile to dataplane interface. Indeed for HA cluster you will be able to connect only to the active member. But this should be enough as falback:
1. Assign mgmt profile
2. Connect to active FW, fix the mgmt ip
3. Suspend FW to cause failover
4. Reconnect to mgmt profile IP, which now will connect you to the secon FW
5. Fix mgmt IP on secondary device
- I believe @OtakarKlier was trying to say - check your HA config and make sure you don't use the mgmt IP for HA1. If you do and you don't have backup HA1 you will have split brain once you change the FW mgmt IP on one of the members.
01-04-2021 11:02 AM
Hello,
Prior to doing this, I would recommend you configure another interface and give it a management profile. Test the new one prior to making any changes to the main one. This way if you lose the main management ports, for what ever reason, you wont lose access to the devices. You can always remove the management profile after all your changes have been made, successful. I do this on all my firewalls so that I have secondary access if needed, but I also restrict who/what can connect to the secondary interface.
Hope that helps.
01-04-2021 11:07 AM
Hello @OtakarKlier thanks for your reply.
I currently have many subinterfaces and I can make management profile to any of them but those are fw interfaces shared by cluster .how do I access firewalls individually even if I configure management profile on any of the existing subinterface
01-04-2021 11:21 AM
Hello,
Check you the links I posted. You can restrict access by source IP/Subnet. If its in a different zone, you can use a security policy to limit source/destination and even by username. Also remember that you have to have an account on the PAN in order to be able to access it.
Hope that helps.
01-04-2021 11:33 AM
Hi,
I understand that we can restrict via source IP address.
The point here is if I use one of traffic interface/ subinterface as the management ,I can only access one box of the cluster as there are no two different addresses of traffic interfaces .
01-04-2021 11:40 AM
Hello,
You are correct. While a bit risky you can try the following:
1. setup secondary management interfaces.
2. perform the changes (this would be PAN-A in the cluster)
3. verify the changes
4. failover to the secondary (this would be PAN-b in the cluster)
5. perform the changes
6. verify the changes
7. either fail back or run like this
Just a thought.
01-04-2021 12:20 PM
Ok thanks .Yes it can be one of the solution .the only point is to do failover 🙂
My gut feeling says that after changing the ip addrsss to new one and doing " commit"
We will momentarily loose the access but it should work with new address after that
01-04-2021 12:31 PM
Hello,
Not if using the secondary management port to make the change. Use it instead of the primary one since it wont change.
Hope that makes sense.
Regards,
01-04-2021 12:42 PM
I don't understand your last point
01-04-2021 01:02 PM
If you are connected to the secondary Management interface, then since its IP is not changing, you should not lose connectivity. Also place the standby unit into suspended state so a fail over does not happen, depending on your HA configuration. Then once primary is changed, change the secondary and make sure HA is working.
01-04-2021 01:19 PM
Iwas thinking if we can make use of sync Interface.
1)Login to active firewall
2) login(ssh) to sync ip of passive firewall and change the mgmt ip of passive.
3) login to passive fw with new ip. Ssh to sync ip of active fw .change the mgmt ip.
01-04-2021 01:28 PM
Hello,
I dont recall if a HA sync interface can be sshed into, if yes, then I say go for it as its a similar principle. Just make sure you know your HA policies in and out as not to cause a failover or split brain.
Regards,
01-04-2021 01:35 PM
Sure I will also check.
Just one point , changing mgmt ip using sync Interface does not impact HA as it is a local config so there is no point of HA issue or split brain.
01-05-2021 03:17 AM
I tried to access via Sync port its not working ( ssh)
This is strange as my HA interfaces have an IP address but ssh it not working
01-05-2021 03:19 AM
Last question ,
Once IP address of Management Interfaces on both nodes is changed , what we have to do in Panorama
Does Panorama recognise the new IPs automatically ( rules are open between Panorama and FW new management IP address )
Do we have to do anything in template or Device Groups ?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!