01-31-2024 03:44 PM - edited 01-31-2024 03:57 PM
@mb_equate You expect me to actually fully read something instead of skimming it, now who’s being unreasonable 😉
In that case I’d actually still point towards the method thay i mentioned above being viable and I’d stand by it with a bit more context.
While you will only directly have access to the active unit in the HA pair, there’s nothing stoping you from using SSH to get to the passive member from the CLI on the active device. You’d have a management connection you could still SSH into directly from your active firewall to do anything you needed bar accessing the GUI without using a jumpbox.
Okay i have to edit this because even after you called my lack of reading the question out, I still didn’t actually go fully read @PA_nts original post.
@PA_nts your client is putting way too many restrictions on this. You can’t use a tunnel for access and you can’t make your MGMT VLAN routable? Something has to give there; you either live with only having access to a single device at a time, you make MGMT accessible, or you do a very extended version of what @OtakarKlier already mentioned and was likely alluding too to begin with.
The only way this works with your limitations are expanding on what @OtakarKlier mentioned already. You’ll need to sacrafice the MGMT port on both to have access to the passive unit with these restrictions and plug it into a dataplane port and NAT it or isolate it into a routable zone.
Importantly this requires that you enable a management profile on the untrust interface (or any other public interface) as well as that additional MGMT connection we just plugged in from each firewall peer. One public IP becomes the active firewall and the other (or a port if you dont have IPs to spare) becomes the passive unit.
This would work given your limitations, but it’s very dumb and adds comolexity. The client should just be willing to make some concessions here.
