- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
07-19-2019 03:55 AM
Hello all,
I am currently configuring an HA cluster (active / passive) with the following configuration:
Primary (active) box: PA-820
ethernet1 / 1: 1.1.1.1/29 (external interface)
ethernet1 / 2: 192.168.0.1/24 (internal interface)
MGMT: 192.168.50.251/25 (Management interface)
Secondary (passive) box: PA-820
ethernet1 / 1: No IP address, as this is the secondary (passive) box.
ethernet1 / 2: No IP address, as this is the secondary (passive) box.
MGMT: 192.168.50.252/25 (Management interface)
The two firewall systems are located at the customer, so I have no physical access to the MGMT interface. Nevertheless, I would like to be able to administrate both (!!!) firewall systems remotely. Previous attempts to access the management port (MGMT) via a NAT or similar have failed.
What works is access to the primary system via VPN. The internal interface (ethernet1 / 2) is in the list of protected networks and the interface itself has been assigned the management role
What options do I have left?
An active / active HA configuration is eliminated because DHCP is needed on the firewall.
Thanks for your help!
Regards,
Guido
07-19-2019 05:05 AM
You can set up Panorama to manage multiple systems from a single entity, all managed systems connect into Panorama, so no need for access to the network at all
An alternative 'industry best practice' method would be to set up a bastion host that is dual homed so you can VPN into the network and hop onto that station to perform admin on both firewalls
07-22-2019 12:58 AM
@reaperam I missing something or the Panorama is not valid option here?
Even it is cluster setup (with config synchronization) Panorama needs to have access to both members.
Dedicated Mgmt interface is not reachable so the Panorama cannot use that
It is active-passive cluster so you cannot use service route through one of the dataplane interfaces.
07-22-2019 03:31 AM
07-22-2019 02:45 PM
Hello,
What about a VPN Tunnel to the HA pair or use Global Protect to connect?
Regards,
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!