in the coming few months we will migrate a customer from Check Point to PAN (finally 😀). Customer will implement a cluster for each branch offices.
This customer has a lot of branch offices around the world. Actual Check Point are managed centrally by firewall public IP.
We will use Panorama to manage all firewall, but we are not sure how we can be sure to always reach the MGMT Interface. I mean, we want to configure a public IP also for the MGMT Interface in order to be able to commit and change config if the VPN is down. I found the following scenarios but I want a feedback regarding what is the best:
1) MGMT interfaces configured with public IP and Permitted IP addresses limited to HQ customer public networks.
2) MGMT interfaces natted itself by the firewall on two specific public IP (one for each members) and filtered by a security policy.
3) MGMT configured into the LAN and configure public IP of Panorama. The traffic will be Natted by the firewall to reach Panorama public IP. Will the commit works successfully? the Panorama cannot initiate traffic to MGMT IP.
Any other idea?
Thanks in advance.