What Settings Don’t Sync in Active/Passive HA?
Focus
Focus

What Settings Don’t Sync in Active/Passive HA?

Table of Contents
End-of-Life (EoL)

What Settings Don’t Sync in Active/Passive HA?

You must configure the following settings on each firewall in an HA pair in an active/passive deployment. These settings do not sync from one peer to another.
Configuration Item
What Doesn’t Sync in Active/Passive?
Management Interface Settings
All management configuration settings must be configured individually on each firewall, including:
  • DeviceSetupManagementGeneral Settings—Hostname, Domain, Login Banner, SSL/TLS Service Profile (and associated certificates), Time Zone, Locale, Date, Time, Latitude, Longitude.
  • DeviceSetupManagementManagement Interface Settings—IP Type, IP Address, Netmask, Default Gateway, IPv6 Address/Prefix Length, Default IPv6 Gateway, Speed, MTU, and Services (HTTP, HTTP OCSP, HTTPS, Telnet, SSH, Ping, SNMP, User-ID, User-ID Syslog Listener-SSL, User-ID Syslog Listener-UDP)
Multi-vsys Capability
You must activate the Virtual Systems license on each firewall in the pair to increase the number of virtual systems beyond the base number provided by default on PA-3200 Series, PA-5200 Series, and PA-7000 Series firewalls.
You must also enable Multi Virtual System Capability on each firewall (DeviceSetupManagementGeneral Settings).
Panorama Settings
Set the following Panorama settings on each firewall (DeviceSetupManagementPanorama Settings).
  • Panorama Servers
  • Disable Panorama Policy and Objects and Disable Device and Network Template
SNMP
DeviceSetupOperationsSNMP Setup
Services
DeviceSetupServices
Global Service Routes
DeviceSetupServicesService Route Configuration
Telemetry and Threat Intelligence Settings
DeviceSetupTelemetry and Threat Intelligence
Data Protection
DeviceSetupContent-IDManage Data Protection
Jumbo Frames
DeviceSetupSessionSession SettingsEnable Jumbo Frame
Packet Buffer Protection
DeviceSetupSessionSession SettingsPacket Buffer Protection
NetworkZonesEnable Packet Buffer Protection
Forward Proxy Server Certificate Settings
DeviceSetupSessionDecryption SettingsSSL Forward Proxy Settings
Master Key Secured by HSM
DeviceSetupHSMHardware Security Module ProviderMaster Key Secured by HSM
Log Export Settings
DeviceScheduled Log Export
Software Updates
With software updates, you can either download and install them separately on each firewall, or download them on one peer and sync the update to the other peer. You must install the update on each peer (DeviceSoftware).
GlobalProtect Agent Package
With GlobalProtect app updates, you can either download and install them separately on each firewall, or download them to one peer and sync the update to the other peer. You must activate separately on each peer (DeviceGlobalProtect Client).
Content Updates
With content updates, you can either download and install them separately on each firewall, or download them on one peer and sync the update to the other peer. You must install the update on each peer (DeviceDynamic Updates).
Licenses/Subscriptions
DeviceLicenses
Support Subscription
DeviceSupport
Master Key
The master key must be identical on each firewall in the HA pair, but you must manually enter it on each firewall (DeviceMaster Key and Diagnostics).
Before changing the master key, you must disable config sync on both peers (DeviceHigh AvailabilityGeneralSetup and clear the Enable Config Sync check box) and then re-enable it after you change the keys.
Reports, logs, and Dashboard Settings
Log data, reports, and Dashboard data and settings (column display, widgets) are not synced between peers. Report configuration settings, however, are synced.
HA settings
DeviceHigh Availability
Rule Usage Data
Rule usage data, such as hit count, Created, and Modified Dates, are not synced between peers. You need to log in to the each firewall to view the policy rule hit count data for each firewall or use Panorama to view information on the HA firewall peers.
Certificates for Device Management and Syslog Communication over SSL only
DeviceCertificate ManagementCertificates
Certificates used for device management or for syslog communication over SSL don’t synchronize with an HA peer.
Although the certificates used for the management interface are not synchronized (and can be different), the name of the certificate entry should be the same for the active and passive devices.
Certificates in a Certificate Profile
DeviceCertificate ManagementCertificate Profile
SSL/TLS Service Profile for Device Management only
DeviceCertificate ManagementSSL/TLS Service Profile
SSL/TLS Service Profile for Device Management doesn’t synchronize with an HA peer.
Device-ID and IoT Security
IP address-to-device mappings and policy rule recommendations don’t synchronize with an HA peer.