We like to share ideas/knowledge/hacks

It is always advised that you configure a dedicated management access port to any device that has this capability especially for a firewall rather than using the "inside" interface for routing and management purposes. The main advantage that is useful for a dedicated management port is that you can apply restrictions for access therefore not everyone within the "inside" network can hit the management port on ssh/telnet or https.



We have a high-availability (HA) firewall pair in our enterprise network configured as active-passive mode. You would have thought that enabling a management interface on a GUI would be fairly straight forward. At the back of my head the follow steps should suffice:

1. Enabling the interface
2. Allocate a dedicate IP address
3. Configure switchport on network
4. Plug in network cable

Within the CLI under the mgmt1 interface I had to add the line;
"set dedicated-to management"

Under ha:
"set ha-mgmt-status enable
  set ha-mgmt-interface "mgmt1"
  set ha-mgmt-interface-gateway w.y.x.254"

Below is a sample of how the entire configuration of both mgmt1 and ha interface should look like.

MGMT 1 config is found under root
OSP-1000C (mgmt1) # show
config system interface
    edit "mgmt1"
        set ip w.x.y.z 255.255.255.0
        set allowaccess ping https ssh
        set vlanforward enable
        set type physical
        set dedicated-to management
        set snmp-index 1
        set trust-ip-1 10.x.x.0 255.255.255.0
    next
end

HA config is found under global
OSP-1000C (ha) # show
config system ha
    set group-name "TheEmpire"
    set mode a-p
    set password *********
    set hbdev "port9" 50 "port10" 50
    set session-pickup enable
    set ha-mgmt-status enable
    set ha-mgmt-interface "mgmt1"
    set ha-mgmt-interface-gateway w.y.x.254
    set override disable
    set priority 255
    set monitor "port8"