Multiple firewalls around the world
Dear Gurus,
in the coming few months we will migrate a customer from Check Point to PAN (finally 😀). Customer will implement a cluster for each branch offices.
This customer has a lot of branch offices around the world. Actual Check Point are managed centrally by firewall public IP.
We will use Panorama to manage all firewall, but we are not sure how we can be sure to always reach the MGMT Interface. I mean, we want to configure a public IP also for the MGMT Interface in order to be able to commit and change config if the VPN is down. I found the following scenarios but I want a feedback regarding what is the best:
1) MGMT interfaces configured with public IP and Permitted IP addresses limited to HQ customer public networks.
2) MGMT interfaces natted itself by the firewall on two specific public IP (one for each members) and filtered by a security policy.
3) MGMT configured into the LAN and configure public IP of Panorama. The traffic will be Natted by the firewall to reach Panorama public IP. Will the commit works successfully? the Panorama cannot initiate traffic to MGMT IP.
Any other idea?
Thanks in advance.
Jacopo
@Reaper I think Manually switching is the best option.
Actually I have the firewalls connected on the private IP inside the VPN and I see the firewalls correctly connected but Panorama cannot receive the logs because the firewalls keep the public IP (I dropped the traffic on the firewall that NAT Panorama) as priority.
Panorama is configured as Panorama mode and the Primary IP of Panorama into the firewalls is the Private.
That's strange, it's seems there are different behaviours between Panorama and Log Collector.
Do you have any suggestions?
Thanks.
Jacopo