https://live.paloaltonetworks.com/t5/general-topics/activ-passiv-cluster-police-in-sync-but-different-rule-handling/m-p/16880#M12290 <HTML><HEAD></HEAD><BODY><P><BR />Hi everyone,</P><P></P><P>some trouble if i turn the activ one to the passiv and vice versa. the policy was syncronized but the result was different.</P><P>Same rule and same source / destination and same App (ssh). in the unsuccessful log i can't either see session- id or outbound-interface.</P><P></P><P>successful</P><P><IMG alt="youcef-ok.PNG.png" class="jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/11391_youcef-ok.PNG.png" style="width: 620px; height: 436px;" /></P><P></P><P>unsuccesful</P><P><IMG alt="youcef-nak.PNG.png" class="jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/11392_youcef-nak.PNG.png" style="width: 620px; height: 434px;" /></P><P></P><P>both ports are identically configured and are up. I appreciated any assistance.</P><P>cheers Klaus</P></BODY></HTML> Fri, 31 Jan 2014 14:43:07 GMT kdd 2014-01-31T14:43:07Z https://live.paloaltonetworks.com/t5/general-topics/activ-passiv-cluster-police-in-sync-but-different-rule-handling/m-p/16880#M12290 <HTML><HEAD></HEAD><BODY><P><BR />Hi everyone,</P><P></P><P>some trouble if i turn the activ one to the passiv and vice versa. the policy was syncronized but the result was different.</P><P>Same rule and same source / destination and same App (ssh). in the unsuccessful log i can't either see session- id or outbound-interface.</P><P></P><P>successful</P><P><IMG alt="youcef-ok.PNG.png" class="jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/11391_youcef-ok.PNG.png" style="width: 620px; height: 436px;" /></P><P></P><P>unsuccesful</P><P><IMG alt="youcef-nak.PNG.png" class="jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/11392_youcef-nak.PNG.png" style="width: 620px; height: 434px;" /></P><P></P><P>both ports are identically configured and are up. I appreciated any assistance.</P><P>cheers Klaus</P></BODY></HTML> Fri, 31 Jan 2014 14:43:07 GMT https://live.paloaltonetworks.com/t5/general-topics/activ-passiv-cluster-police-in-sync-but-different-rule-handling/m-p/16880#M12290 kdd 2014-01-31T14:43:07Z https://live.paloaltonetworks.com/t5/general-topics/activ-passiv-cluster-police-in-sync-but-different-rule-handling/m-p/16881#M12291 <HTML><HEAD></HEAD><BODY><P>Hello Klaus,</P><P></P><P>Could you please check the routing table, if there is a valid route available through ethernet-1/5 for destination and sequence of the security policy on policy table. If possible, bring the Unix-admin rule in the top and verify the result.</P><P></P><P>CLI <SPAN class="GINGER_SOFTWARE_mark">command &gt; test</SPAN> security-policy-match source destination destination-port protocol.</P><P></P><P>Thanks</P></BODY></HTML> Fri, 31 Jan 2014 15:56:43 GMT https://live.paloaltonetworks.com/t5/general-topics/activ-passiv-cluster-police-in-sync-but-different-rule-handling/m-p/16881#M12291 HULK 2014-01-31T15:56:43Z https://live.paloaltonetworks.com/t5/general-topics/activ-passiv-cluster-police-in-sync-but-different-rule-handling/m-p/16882#M12292 <HTML><HEAD></HEAD><BODY><P>Hi Hulk,</P><P></P><P>all rules using FQDN generate fqdn request and this in cooperation with service route ( external-IF / untrust ) didn't work on the passiv firewall because this interface weren't up and no dns-request couldn't be satisfied.</P><P>Then it turned into activ-mode but the dns-refresh takes about 30 minutes ( or cli: request system fqdn refresh)</P><P>So to solve the problem i had to adjust the policy or and this is easier the service route (Mgmt-IF). Thanks for your support.</P><P></P><P>Regards Klaus</P></BODY></HTML> Thu, 06 Feb 2014 14:49:38 GMT https://live.paloaltonetworks.com/t5/general-topics/activ-passiv-cluster-police-in-sync-but-different-rule-handling/m-p/16882#M12292 kdd 2014-02-06T14:49:38Z