https://live.paloaltonetworks.com/t5/general-topics/issue-on-updating-cert-on-palo-alto-fw-pair/m-p/284983#M76374 <P>I got an issue to update a cert on PA pair.</P><P>The issue is very similar to what it describes under</P><P><A href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail%3Fid%3DkA10g000000CldECAS&amp;data=02%7C01%7Csupport-anz%40arrow.com%7Cb86cf9c84b794b9df64908d727992a0f%7C0beb0c359cbb4feb99e5589e415c7944%7C1%7C0%7C637021411098632394&amp;sdata=R%2BR9Ym0BrWpbtywbD2NvHLAgz1X1lS93sZGQPMwO08A%3D&amp;reserved=0" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CldECAS</A></P><P>I import the new cert to both PA FW units and change config to use the new cert. However it comes with config out-of-sync issue and somehow the new cert on passive unit is removed after committing config.</P><P>any fix for the issue?</P> Mon, 26 Aug 2019 06:45:18 GMT Jatin.Singh 2019-08-26T06:45:18Z https://live.paloaltonetworks.com/t5/general-topics/issue-on-updating-cert-on-palo-alto-fw-pair/m-p/284983#M76374 <P>I got an issue to update a cert on PA pair.</P><P>The issue is very similar to what it describes under</P><P><A href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail%3Fid%3DkA10g000000CldECAS&amp;data=02%7C01%7Csupport-anz%40arrow.com%7Cb86cf9c84b794b9df64908d727992a0f%7C0beb0c359cbb4feb99e5589e415c7944%7C1%7C0%7C637021411098632394&amp;sdata=R%2BR9Ym0BrWpbtywbD2NvHLAgz1X1lS93sZGQPMwO08A%3D&amp;reserved=0" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CldECAS</A></P><P>I import the new cert to both PA FW units and change config to use the new cert. However it comes with config out-of-sync issue and somehow the new cert on passive unit is removed after committing config.</P><P>any fix for the issue?</P> Mon, 26 Aug 2019 06:45:18 GMT https://live.paloaltonetworks.com/t5/general-topics/issue-on-updating-cert-on-palo-alto-fw-pair/m-p/284983#M76374 Jatin.Singh 2019-08-26T06:45:18Z https://live.paloaltonetworks.com/t5/general-topics/issue-on-updating-cert-on-palo-alto-fw-pair/m-p/285132#M76387 <P>This is what I would do (thinking out of the box)</P><P>If HA firewalls....</P><P>&nbsp;</P><P>Export the configurtion from the active FW.</P><P>&nbsp;</P><P>Import the configuration in the passive FW</P><P>Now, both FWs have 100% the exact config.</P><P>&nbsp;</P><P>On the passive FW, change the config to modify/update the config to use the original mgmt IP</P><P>On the passive FW, because it has the exact HA configuration as the active FW, modify it so that is has the orignal HA settings that the standby FW would have.</P><P>&nbsp;</P><P>Commit on the standby</P><P>&nbsp;</P><P>Now, you have the cert on both FWs</P><P>&nbsp;</P> Mon, 26 Aug 2019 20:20:26 GMT https://live.paloaltonetworks.com/t5/general-topics/issue-on-updating-cert-on-palo-alto-fw-pair/m-p/285132#M76387 S.Cantwell 2019-08-26T20:20:26Z