Configure a Redundant Manager Access Data Interface

When you use a data interface for manager access, you can configure a secondary data interface to take over management functions if the primary interface goes down. You can configure only one secondary interface. The device uses SLA monitoring to track the viability of the static routes and an ECMP zone that contains both interfaces so management traffic can use both interfaces.

Before you begin

The secondary interface needs to be in a separate security zone from the primary interface.
All of the same requirements apply to the secondary interface as apply to the primary interface. See Using the Firewall Threat Defense Data Interface for Management.

Procedure

1	On the Devices > Device Management page, click Edit () for the device.
2	Enable manager access for the secondary interface. This setting is in addition to standard interface settings such as enabling the interface, setting the name, setting the security zone, and setting a static IPv4 address. Choose Interfaces > Edit Physical Interface > Manager Access. Check Enable management on this interface for the Manager. Click OK. Both interfaces show (Manager Access) in the interface listing. *Figure 1: Interface Listing*
3	Add the secondary address to the Management settings. Click Device, and view the Management area. Click Edit (). *Figure 2: Edit Management Address* In the Management dialog box, modify the name or IP address in the Secondary Address field *Figure 3: Management IP Address* Click Save.
4	Create an ECMP zone with both interfaces. Click Routing. From the virtual router drop-down, choose the virtual router in which the primary and secondary interfaces reside. Click ECMP, and then click Add. Enter a Name for the ECMP zone. Select the primary and secondary interfaces under the Available Interfaces box, and then click Add. *Figure 4: Add an ECMP Zone* Click OK, and then Save.
5	Add equal-cost default static routes for both interfaces and enable SLA tracking on both. The routes should be identical except for the gateway and should both have metric 1. The primary interface should already have a default route that you can edit. *Figure 5: Add/Edit Static Route* Click Static Route. Either click Add Route to add a new route, or click Edit () for an existing route. From the Interface drop-down, choose the interface. For the destination network, select any-ipv4 from the Available Networks box and click Add. Enter the default Gateway. For Route Tracking, click Add () to add a new SLA monitor object. Enter the required parameters including the following: The Monitor Address as the Firewall Management Center IP address. The zone for the primary or secondary management interface in Available Zones; for example, choose the outside zone for the primary interface object, and the mgmt zone for the secondary interface object. See SLA Monitor for more information. *Figure 6: Add SLA Monitor* Click Save, then choose the SLA object you just created in the Route Tracking drop-down list. Click OK, and then Save. Repeat for the default route for the other management interface.
6	Deploy configuration changes. As part of the deployment for this feature, the Firewall Management Center enables the secondary interface for management traffic, including auto-generated policy-based routing configuration for management traffic to get to the right data interface. The Firewall Management Center also deploys a second instance of the configure network management-data-interface command. Note that if you edit the secondary interface at the CLI, you cannot configure the gateway or otherwise alter the default route, because the static route for this interface can only be edited in the Firewall Management Center.

Previous topic Change the Manager Access Interface from Data to Management Next topic Modify Firewall Threat Defense Management Interfaces at the CLI