https://live.paloaltonetworks.com/t5/panorama-discussions/master-device-in-panorama-device-group-if-using-dataplane/m-p/409548#M255 <P>Due to high cpu utilization in firewall , we want to use dataplane interface of firewall for user-id services.</P><P>Currently , when primary firewall failover to secondary we do not require to change master device in panorama device-group.</P><P>How panorama collecting user-id info if primary firewall which selected as a master in device-group becomes passive ?</P><P>What if Primary firewall goes completely down ?</P><P>If we use dataplane interface, do we require to change master device in Panorama device-group if failover happens ?&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Deepak_K_0-1622112578545.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/34110i12F0474FCA5E3F39/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="Deepak_K_0-1622112578545.png" alt="Deepak_K_0-1622112578545.png" /></span></P><P>&nbsp;</P> Thu, 27 May 2021 10:50:14 GMT Deepak_K 2021-05-27T10:50:14Z https://live.paloaltonetworks.com/t5/panorama-discussions/master-device-in-panorama-device-group-if-using-dataplane/m-p/409548#M255 <P>Due to high cpu utilization in firewall , we want to use dataplane interface of firewall for user-id services.</P><P>Currently , when primary firewall failover to secondary we do not require to change master device in panorama device-group.</P><P>How panorama collecting user-id info if primary firewall which selected as a master in device-group becomes passive ?</P><P>What if Primary firewall goes completely down ?</P><P>If we use dataplane interface, do we require to change master device in Panorama device-group if failover happens ?&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Deepak_K_0-1622112578545.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/34110i12F0474FCA5E3F39/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="Deepak_K_0-1622112578545.png" alt="Deepak_K_0-1622112578545.png" /></span></P><P>&nbsp;</P> Thu, 27 May 2021 10:50:14 GMT https://live.paloaltonetworks.com/t5/panorama-discussions/master-device-in-panorama-device-group-if-using-dataplane/m-p/409548#M255 Deepak_K 2021-05-27T10:50:14Z https://live.paloaltonetworks.com/t5/panorama-discussions/master-device-in-panorama-device-group-if-using-dataplane/m-p/409635#M256 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/62177">@Deepak_K</a>&nbsp;</P> <P>Sorry for asking, but how should using dp interface for user-id help with reducing the load on the cpu?</P> <P>The master device is defined by firewall serial number, so it does not matter if you use cp or dp interface. The user-id information is collected from this specified master device, so if the master goes down panorama is no longer able to collect these informations.</P> Thu, 27 May 2021 16:33:57 GMT https://live.paloaltonetworks.com/t5/panorama-discussions/master-device-in-panorama-device-group-if-using-dataplane/m-p/409635#M256 Remo 2021-05-27T16:33:57Z https://live.paloaltonetworks.com/t5/panorama-discussions/master-device-in-panorama-device-group-if-using-dataplane/m-p/409659#M257 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/62177">@Deepak_K</a> ,</P><P>I am only guessing, but:</P><P>- If you use dataplane interface for user-id in active-passive HA both devices will use same ip address so in case of failover the backup should establish connection to the server/user-id agent</P><P>- User-ID information is synced between members in active-passive HA.</P><P>&nbsp;</P><P>So in theory in case of failover, secondary device will get user-id info monitored server/user-id agent and sync it to primary member, which Panorama will still use. But this is valid of the primary FW is still alive (listed as passive in the HA cluster) and able to communicate with Panorama.</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 27 May 2021 17:00:51 GMT https://live.paloaltonetworks.com/t5/panorama-discussions/master-device-in-panorama-device-group-if-using-dataplane/m-p/409659#M257 aleksandar.astardzhiev 2021-05-27T17:00:51Z https://live.paloaltonetworks.com/t5/panorama-discussions/master-device-in-panorama-device-group-if-using-dataplane/m-p/411084#M258 <P>Thanks Alexander,</P><P>User-id(users/group) info from primary to panorama will sync via which interface mgmt or dataplane?</P><P>Condition: service route on HA pair for LDAP and uid service is on dataplane interface. Master device in Panorama device-group is primary firewall and now secondary firewall is active</P> Fri, 04 Jun 2021 05:46:32 GMT https://live.paloaltonetworks.com/t5/panorama-discussions/master-device-in-panorama-device-group-if-using-dataplane/m-p/411084#M258 Deepak25 2021-06-04T05:46:32Z