Using a management network for multiple firewalls

[roadrunner]

Using a management network for multiple firewalls

Question
The current network design of the firewalls has all of them communicating back to the management station over a "private" network (I use the term loosely because the network is in routable space, but we're simply not advertising a route for it.) Because of this, all of the firewall objects are defined with an IP on that 'private' network. This is now starting to bite us since we're looking at deploying SecuRemote for our employees.

Based on all I've read, it sounds like the management station is handing out the IP address of the firewall as defined in its object. In our case, that means that the SecuRemote client is receiving the IP address on the 'private' network, can't talk to the firewall, and bombs out.

It certainly sounds like I need to modify the firewall objects to have the routable IP address listed in there, and that should at least get me a little further along in getting SecuRemote ready to go.

My question is this, though. I'd like policies to still be pushed out over the 'private' network. If I change the IP of the firewall object, will it start using that IP to push policies to it, or will it use /etc/hosts to figure out where to go?


Answer
You want to use the routable IPs. Those are the IPs FireWall-1 will use to push policy. You can force the communication to go through a management-style network by adding static routes to your management console forcing the traffic through this network. Simple, but effective, and everyone's happy. You may have to add some static routes elsewhere in the network as well, but it works. Note if you manage multiple firewalls in an HA configuration, you should do something similar to force the management connection to go to the correct firewall. Otherwise, when you try and update your secondary firewall, it will go through your primary.

-- GuyR - 11 Jan 2004


FAQForm
FAQs.Class: RemoteManagementFAQs
FAQs.OS:
FAQs.Version: