: Synchronization Between Panorama HA Peers
Focus
Focus

Synchronization Between Panorama HA Peers

Table of Contents
End-of-Life (EoL)

Synchronization Between Panorama HA Peers

The Panorama HA peers synchronize the running configuration each time you commit changes on the active Panorama peer. The candidate configuration is synchronized between the peers each time you save the configuration on the active peer or just before a failover occurs.
Settings that are common across the pair, such as shared objects and policy rules, device group objects and rules, template configuration, certificates and SSL/TLS service profiles, and administrative access configuration, are synchronized between the Panorama HA peers.
When you Enable Automated Commit Recovery, HA synchronization occurs only after the firewall successfully tests the connection between itself and Panorama after a push from Panorama.
The settings that are not synchronized are those that are unique to each peer, such as the following:
  • Panorama HA configuration—Priority setting, peer IP address, path monitoring groups and IP addresses
  • Panorama configuration—Management interface IP address, FQDN settings, login banner, NTP server, time zone, geographic location, DNS server, permitted IP addresses for accessing Panorama, SNMP system settings, and dynamic content update schedules
  • Scheduled configuration exports
  • NFS partition configuration and all disk quota allocation for logging. This applies only to a Panorama virtual appliance in Legacy mode that runs on a VMware ESXi server
  • Disk quota allocation for the different types of logs and databases on the Panorama local storage (SSD)
    If you use a master key to encrypt the private keys and certificates on Panorama, you must use the same master key on both HA peers. If the master keys differ, Panorama cannot synchronize the HA peers.
  • Password for the Panorama admin administrator
For more information, see Panorama HA Prerequisites or Set Up HA on Panorama.