>
    What Settings Don’t Sync in Active/Passive HA?
    Focus
    Download PDF
    Focus
    1. Home
    2. PAN-OS
    3. High Availability
    4. Reference: HA Synchronization
    5. What Settings Don’t Sync in Active/Passive HA?
    Download PDF

    What Settings Don’t Sync in Active/Passive HA?

    Table of Contents
    End-of-Life (EoL)

    What Settings Don’t Sync in Active/Passive HA?

    You must configure the following settings on each firewall in an HA pair in an active/passive deployment. These settings do not sync from one peer to another.
    Configuration Item
    What Doesn’t Sync in Active/Passive?
    Management Interface Settings
    All management configuration settings must be configured individually on each firewall, including:
    • DeviceSetupManagementGeneral Settings—Hostname, Domain, Login Banner, SSL/TLS Service Profile (and associated certificates), Time Zone, Locale, Date, Time, Latitude, Longitude.
    • DeviceSetupManagementManagement Interface Settings—IP Type, IP Address, Netmask, Default Gateway, IPv6 Address/Prefix Length, Default IPv6 Gateway, Speed, MTU, and Services (HTTP, HTTP OCSP, HTTPS, Telnet, SSH, Ping, SNMP, User-ID, User-ID Syslog Listener-SSL, User-ID Syslog Listener-UDP)
    Multi-vsys Capability
    You must activate the Virtual Systems license on each firewall in the pair to increase the number of virtual systems beyond the base number provided by default on PA-3200 Series, PA-5200 Series, and PA-7000 Series firewalls.
    You must also enable Multi Virtual System Capability on each firewall (DeviceSetupManagementGeneral Settings).
    Panorama Settings
    Set the following Panorama settings on each firewall (DeviceSetupManagementPanorama Settings).
    • Panorama Servers
    • Disable Panorama Policy and Objects and Disable Device and Network Template
    SNMP
    DeviceSetupOperationsSNMP Setup
    Services
    DeviceSetupServices
    Global Service Routes
    DeviceSetupServicesService Route Configuration
    Telemetry and Threat Intelligence Settings
    DeviceSetupTelemetry and Threat Intelligence
    Data Protection
    DeviceSetupContent-IDManage Data Protection
    Jumbo Frames
    DeviceSetupSessionSession SettingsEnable Jumbo Frame
    Packet Buffer Protection
    DeviceSetupSessionSession SettingsPacket Buffer Protection
    NetworkZonesEnable Packet Buffer Protection
    Forward Proxy Server Certificate Settings
    DeviceSetupSessionDecryption SettingsSSL Forward Proxy Settings
    Master Key Secured by HSM
    DeviceSetupHSMHardware Security Module ProviderMaster Key Secured by HSM
    Log Export Settings
    DeviceScheduled Log Export
    Software Updates
    With software updates, you can either download and install them separately on each firewall, or download them on one peer and sync the update to the other peer. You must install the update on each peer (DeviceSoftware).
    GlobalProtect Agent Package
    With GlobalProtect app updates, you can either download and install them separately on each firewall, or download them to one peer and sync the update to the other peer. You must activate separately on each peer (DeviceGlobalProtect Client).
    Content Updates
    With content updates, you can either download and install them separately on each firewall, or download them on one peer and sync the update to the other peer. You must install the update on each peer (DeviceDynamic Updates).
    Licenses/Subscriptions
    DeviceLicenses
    Support Subscription
    DeviceSupport
    Master Key
    The master key must be identical on each firewall in the HA pair, but you must manually enter it on each firewall (DeviceMaster Key and Diagnostics).
    Before changing the master key, you must disable config sync on both peers (DeviceHigh AvailabilityGeneralSetup and clear the Enable Config Sync check box) and then re-enable it after you change the keys.
    Reports, logs, and Dashboard Settings
    Log data, reports, and Dashboard data and settings (column display, widgets) are not synced between peers. Report configuration settings, however, are synced.
    HA settings
    DeviceHigh Availability
    Rule Usage Data
    Rule usage data, such as hit count, Created, and Modified Dates, are not synced between peers. You need to log in to the each firewall to view the policy rule hit count data for each firewall or use Panorama to view information on the HA firewall peers.
    Certificates for Device Management and Syslog Communication over SSL only
    DeviceCertificate ManagementCertificates
    Certificates used for device management or for syslog communication over SSL don’t synchronize with an HA peer.
    Although the certificates used for the management interface are not synchronized (and can be different), the name of the certificate entry should be the same for the active and passive devices.
    Certificates in a Certificate Profile
    DeviceCertificate ManagementCertificate Profile
    SSL/TLS Service Profile for Device Management only
    DeviceCertificate ManagementSSL/TLS Service Profile
    SSL/TLS Service Profile for Device Management doesn’t synchronize with an HA peer.
    Device-ID and IoT Security
    IP address-to-device mappings and policy rule recommendations don’t synchronize with an HA peer.

    © 2024 Palo Alto Networks, Inc. All rights reserved.