As I have always been practicing to do the configuration and changes on the primary device and then it is its responsibility to push the configuration on the secondary device but as I have also been seeing people to do the configuration on the secondary devices be it juniper, F5, Palo and they really don't consider this active passive state and also I have not seen they encounter any issue too doing this, I wanted to check with you all if there is really a problem or is it always safe to do this stuff without running into nay kind of mess. Though the HA state always says peer so can it be done either way and if there would have been any problem with this may be the code developer had restricted this while they create it.
@Gchander As long as you have HA "config sync" enabled, you can make changes on any of the HA members and conifg will be synced across to the the peer.
but isn't recommended to always do the config on active ? if that why it is recommended I'm curious to find out that for any kind of abligation!
@Gchander Strictly speaking configuration can be applied on any member, but yes, it is better to work on the Active in Active/Passive when no Panorama. It is becuase it is the firewall processing traffic and also some services run on the Active . So for example, if you make a policy change you can only check the traffic logs on the Active member to verify the result.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!