Yes @Danny , this will be our workaround but with not using separate management interface you loose the ability to do none disruptive upgrades.

I think this limitation and follow from them the needed design should be more highlighted in the documentation.

Please elaborate further about how using a dedicated data port (uplink port) as management port causes disruptions during upgrades.

Last year we run into a problem with LACP on the data interfaces... This knowledebase article was the result:

During an upgrade of a Quantum Maestro Security Group from R80.20SP/R80.30SP to R81.10, the "sp_upgr... 

The two releases are using different implementation of the LACP driver. Switching bond to backup/active on the old reelase solves the problem but our the first upgrade results in a disaster.

I see. I never had a security group running on R80.20SP, only R81 as currently recommended. So I didn't run yet into any upgrade issues.

Dear Danny,

Till now, I don't have used that kind of workaround, but I need it in a few days.

Can you please, give me a more detailed instruction, how to configure that workaround.

Best regards,

Christian

Read sk179005.

To enable on the fly for testing: g_fw -a ctl set int fwha_data_mgmt_connection 1

To enable and make permanent: g_fw -a ctl set -f int fwha_data_mgmt_connection 1

@Chris_Atkinson in our none Maestro environments this is a common solution, having the firewall management systems in a small subnet attached to a gateway and the gateway is the default way out to the other networks. For security reason no other way to these subnet exist without the gateway. 

Hmmm, so if GW has a "bad policy", how do you control it then? Plug yourself on the same network where MGMT sits?

I understand Zero Trust, and I do agree, MGMT should be behind a firewall. I respectfully disagree with a concept when the only access to your management tools is via FW managed by that same server. That can work for you for decades, but it does not mean this practice is absolutely the best. 

If that primary FW is dead, what's your next step? 

Find and fix the issue, as always. I don't expect to reach a firewall's management if the firewall cannot be reached. As most firewalls are clustered this issue is not very likely.

You are missing my point.

Do you intend to run all maintenance operations from the data center? if not, by mistake, or as a result of a technical failure, with your only FW and management depending on each other, you can be cut off. To overcome that cut, without any means of out of band access, you will have to go to that dusty noisy room every time something breaks 🙂

If a firewall has a failure I don't want ANYONE to be able to reach it's firewall management without physical access > Zero trust. And yes, in such situations a visit to the server room will be likely. Anyways, I didn't experience these situations to happen so often. 😀

I'm agree with @Danny .  In the last 20 years we had only one case that the firewall-management was not available as follow up of a firewall crash. And yes, you have to go onsite or maybee use other ways to connect to your management. But this is no problem and always better then lowering security.

I think this is a limitation of Maestro and there should be a solution and not finding reasons to change a common design of the security solution.

I am also very dissapointed to the current MGMT solution. Regarding your workaround. I would set the existing MHO interface 1/1/1 from management to uplink. Would that lead to any problems? In would expect it should work right away.