How to change pan-agent priority?

sw-version: 3.1.12

sw-version: 3.1.12

Given the command below, how do I force server01 to be the primary pan-agent without any disruption?

> show user pan-agent statistics

Timer: interval of group membership retrieval
State: *:primary pan-agent to retrieve group membership
---------------- --------------- ----- ------- ------------------ ------ ------ -------- -------- -------- --------------- -----
Name             IP Address      Port  Vsys     State             Users  Grps   IPs      Activity Timer(s) Domain          Index
---------------- --------------- ----- ------- ------------------ ------ ------ -------- -------- -------- --------------- -----
server02    6667  vsys1   *connected, ok     716    508    61       104139   600      mydomain             0   
server01    6667  vsys1    connected, ok     0      0      48       103712   600      mydomain             1

Re: How to change pan-agent priority?

On 3.1.12 code we do not have any options to fail over the agents and if you should, there should not be any disruptions if failing over to the other agent as they should be identical.

I would recommend a request for an enhancement request to get such a command.

In the earlier versions of Pan OS the priority is based off of when the devices were entered into the firewall.  However, in the new 5.0 version you can configure this with the custom agent sequence option.

This option allows you to define the sequence order in which the User-ID agent profiles will connect to the defined server. For example, if you have four agents identified in the sequence list, it will attempt to connect to the first agent listed, if that connection fails, it will connect to the next agent listed, and so on. If this option is not configured, the connection sequence will follow the order of the agents listed in the main page

