Focus

Synchronization of System Runtime Information

Table of Contents

Filter

Expand All | Collapse All

Next-Generation Firewall Docs

Getting Started
Administration
Version
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
- PAN-OS 9.1 (EoL)
Networking
Version
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
Incidents & Alerts
Release Notes
Version
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1 (EoL)

What Settings Don’t Sync in Active/Active HA?

Monitoring

Synchronization of System Runtime Information

The following table summarizes what system runtime information is synchronized between HA peers.

Runtime Information	Config Synced?		HA Link	Details
Runtime Information	A/P	A/A	HA Link	Details
Management Plane
User to Group Mappings	Yes	Yes	HA1
User Mappings across Virtual Systems	Yes	Yes	HA1
User to IP Address Mappings	Yes	Yes	HA1	In an A/A configuration, only the Active-Primary peer connects to User-ID Servers or Agents, and not the Active-Secondary peer. If the Active-Primary peer is Suspended or offline, the Active-Secondary peer connects to the User-ID Servers or Agents.
DHCP Lease (as server)	Yes	Yes	HA1	If the PAN-OS versions on the HA peers don’t match, the DHCP Lease (as server) config information won’t sync.
DNS Cache	No	No	N/A
FQDN Refresh	No	No	N/A
IKE SAs [Security Associations] (phase 1)	No	No	N/A
Forward Information Base (FIB)	Yes	No	HA1
Multicast FIB (MFIB)	Yes	No	HA1
PAN-DB URL Cache	Yes	No	HA1	This is synchronized upon database backup to disk (every eight hours, when URL database version updates), or when the firewall reboots.
Content (manual sync)	Yes	Yes	HA1
PPPoE, PPPoE Lease	Yes	Yes	HA1
DHCP Client Settings and Lease	Yes	Yes	HA1	If the PAN-OS versions on the HA peers don’t match, the DHCP Client Settings and Lease config information won’t sync.
SSL VPN Logged in User List	Yes	Yes	HA1
Dataplane
Session Table	Yes	Yes	HA2	Active/passive peers do not sync ICMP or host session information. Active/active peers do not sync host session, multicast session, or BFD session information. A host session is a session terminated on one of the firewall interfaces, such as an ICMP session pinging one of the firewall interfaces or a GP tunnel.
Multicast Session Table	Yes	No	HA2
ARP Table	Yes	No	HA2
Neighbor Discovery (ND) Table	Yes	No	HA2
MAC Table	Yes	No	HA2
IPSec SAs [Security Associations] (phase 2)	Yes	Yes	HA2
IPSec Sequence Number (anti-replay)	Yes	Yes	HA2
DoS Block List Entries	No	No	N/A
Virtual MAC	Yes	Yes	HA2
SCTP Associations	Yes	No	HA2

What Settings Don’t Sync in Active/Active HA?

Monitoring

Next-Generation Firewall Docs

Synchronization of System Runtime Information

Next-Generation Firewall Docs

Synchronization of System Runtime Information

Activation & Onboarding

Next-Generation Firewalls

Cloud-Delivered Security Services

Network Security

Visibility & Monitoring

Best Practices

Experts Corner