https://community.checkpoint.com/t5/Firewall-and-Security-Management/Tacacs-authentication-from-standby-member-in-R80-xx/m-p/66187#M5042 <P>I have a Cluster HA with 3 members, i enabled the parameter fwha_forw_packet_to_not_active indicated in the sk42695.</P><P>But i saw that the traffic is blocked by the active member. In R80.10 and R80.20 i had this problem.</P><P>&nbsp;</P><P>The workaround that i applied is:</P><P>* Permit the Physical IP of the FWs in the Tacacs servers for authetication</P><P>* Create a NAT exception (prevent the hide nat cluster VIP) for the FWs send the request to the tacacs Server with its own address</P><P>* Tacacs authentication working in the standbys members.</P> Tue, 29 Oct 2019 22:19:28 GMT jonito_villa 2019-10-29T22:19:28Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Tacacs-authentication-from-standby-member-in-R80-xx/m-p/66187#M5042 <P>I have a Cluster HA with 3 members, i enabled the parameter fwha_forw_packet_to_not_active indicated in the sk42695.</P><P>But i saw that the traffic is blocked by the active member. In R80.10 and R80.20 i had this problem.</P><P>&nbsp;</P><P>The workaround that i applied is:</P><P>* Permit the Physical IP of the FWs in the Tacacs servers for authetication</P><P>* Create a NAT exception (prevent the hide nat cluster VIP) for the FWs send the request to the tacacs Server with its own address</P><P>* Tacacs authentication working in the standbys members.</P> Tue, 29 Oct 2019 22:19:28 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Tacacs-authentication-from-standby-member-in-R80-xx/m-p/66187#M5042 jonito_villa 2019-10-29T22:19:28Z