Remote Access on passive node of firewall ha cluster

Showing results for 
Search instead for 
Did you mean: 

Remote Access on passive node of firewall ha cluster

L0 Member

Hello all,


I am currently configuring an HA cluster (active / passive) with the following configuration:


Primary (active) box: PA-820
ethernet1 / 1: (external interface)
ethernet1 / 2: (internal interface)
MGMT: (Management interface)


Secondary (passive) box: PA-820
ethernet1 / 1: No IP address, as this is the secondary (passive) box.
ethernet1 / 2: No IP address, as this is the secondary (passive) box.
MGMT: (Management interface)


The two firewall systems are located at the customer, so I have no physical access to the MGMT interface. Nevertheless, I would like to be able to administrate both (!!!) firewall systems remotely. Previous attempts to access the management port (MGMT) via a NAT or similar have failed.


What works is access to the primary system via VPN. The internal interface (ethernet1 / 2) is in the list of protected networks and the interface itself has been assigned the management role


What options do I have left?


An active / active HA configuration is eliminated because DHCP is needed on the firewall.



Thanks for your help!





L7 Applicator

You can set up Panorama to manage multiple systems from a single entity, all managed systems connect into Panorama, so no need for access to the network at all


An alternative 'industry best practice' method would be to set up a bastion host that is dual homed so you can VPN into the network and hop onto that station to perform admin on both firewalls

Tom Piens
Like my answer? check out my book!

@reaperam I missing something or the Panorama is not valid option here?


Even it is cluster setup (with config synchronization) Panorama needs to have access to both members.

Dedicated Mgmt interface is not reachable so the Panorama cannot use that

It is active-passive cluster so you cannot use service route through one of the dataplane interfaces.

Ideally you'd set the panorama up so it has an "in" to the oob network Either set it up locally, via a bastion proxy or via a segmented dataplane interface (via the active member)
Tom Piens
Like my answer? check out my book!


What about a VPN Tunnel to the HA pair or use Global Protect to connect?



Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!