This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Remote Access on passive node of firewall ha cluster

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Remote Access on passive node of firewall ha cluster

GuidoKramer
L0 Member

‎07-19-2019 03:55 AM

Hello all,

 

I am currently configuring an HA cluster (active / passive) with the following configuration:

 

Primary (active) box: PA-820
ethernet1 / 1: 1.1.1.1/29 (external interface)
ethernet1 / 2: 192.168.0.1/24 (internal interface)
MGMT: 192.168.50.251/25 (Management interface)

 

Secondary (passive) box: PA-820
ethernet1 / 1: No IP address, as this is the secondary (passive) box.
ethernet1 / 2: No IP address, as this is the secondary (passive) box.
MGMT: 192.168.50.252/25 (Management interface)

 

The two firewall systems are located at the customer, so I have no physical access to the MGMT interface. Nevertheless, I would like to be able to administrate both (!!!) firewall systems remotely. Previous attempts to access the management port (MGMT) via a NAT or similar have failed.

 

What works is access to the primary system via VPN. The internal interface (ethernet1 / 2) is in the list of protected networks and the interface itself has been assigned the management role

 

What options do I have left?

 

An active / active HA configuration is eliminated because DHCP is needed on the firewall.

 

 

Thanks for your help!

 

Regards,

Guido

0 Likes Likes
4 REPLIES 4

reaper
Cyber Elite
Cyber Elite

‎07-19-2019 05:05 AM

You can set up Panorama to manage multiple systems from a single entity, all managed systems connect into Panorama, so no need for access to the network at all

 

An alternative 'industry best practice' method would be to set up a bastion host that is dual homed so you can VPN into the network and hop onto that station to perform admin on both firewalls

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization
0 Likes Likes

aleksandar.astardzhiev
Cyber Elite
Cyber Elite
In response to reaper

‎07-22-2019 12:58 AM

@reaperam I missing something or the Panorama is not valid option here?

 

Even it is cluster setup (with config synchronization) Panorama needs to have access to both members.

Dedicated Mgmt interface is not reachable so the Panorama cannot use that

It is active-passive cluster so you cannot use service route through one of the dataplane interfaces.

0 Likes Likes

reaper
Cyber Elite
Cyber Elite
In response to aleksandar.astardzhiev

‎07-22-2019 03:31 AM

Ideally you'd set the panorama up so it has an "in" to the oob network Either set it up locally, via a bastion proxy or via a segmented dataplane interface (via the active member)
Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization
0 Likes Likes

OtakarKlier
Cyber Elite
Cyber Elite
In response to reaper

‎07-22-2019 02:45 PM

Hello,

What about a VPN Tunnel to the HA pair or use Global Protect to connect?

 

Regards,

0 Likes Likes
  • 4773 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks