Managing the secondary device in an Active/Passive pair operating in Transparent mode.
When operating in Transparent mode, the backup in an Active/Passive pair can only be managed from one Layer 2 zone at a time. By default, this zone is V1-Trust.
If management is needed from V1-Untrust, V1-DMZ, or a custom layer 2 zone, use the command:
set interface vlan1 nsrp manage zone <zone name>
Note: This command must be enabled on both devices in the NSRP cluster.
The current management zone can be checked with the 'get interface vlan1'
command:
204(B)-> get interface vlan1
Interface vlan1:
number 15, if_info 6000, if_index 0, VLAN tag 1, mode nat
link inactive, phy-link up/full-duplex
vsys Root, zone MGT, vr trust-vr
ip 192.168.1.1/24 mac 0010.dbff.20f0
manage ip 192.168.1.2, mac 0010.db27.68cf
ping enabled, telnet enabled, SCS enabled, SNMP enabled
web disabled, SSL enabled
webauth disabled, webauth-ip 0.0.0.0
OSPF disabled BGP disabled
DHCP-elay disabled
bandwidth: physical 100000kbps, configured 0kbps, current 0kbps
total configured gbw 0kbps, total allocated gbw 0kbps
unknown mac address resolve method: FLOOD
vlan trunk: Off
bypass others IPSEC: Off
In backup mode, only traffic from V1-TRUST can manage the box
Note: Ensure tthe manage-ip addresses are different for both the primary and backup firewalls. For more information on configuring a manage IP address, refer to KB4059 - [ScreenOS] Configuring a Manage IP Address on Juniper firewall.
For more info on interface VLAN1, see KB4862 - What is the function of the vlan1 interface.
2021-01-04: Minor non-technical changes were made. Article reviewed for accuracy. Article is correct and complete.