Is Content Database Sync Recommended in an HA Environment?

Generally, it is recommended to have each device in an HA cluster retrieve its own dynamic updates.  Sync-to-peer is intended for use when the HA secondary has no path to the internet from the management interface. In this scenario, the secondary will need to have the primary push the dynamic updates to it. Remember that the secondary may have no active interfaces on the dataplane in the passive mode.

If both units have the ability to access the PA update servers from their management interface, Palo Alto Networks suggest that you stagger the download and install times and not use the sync-to-peer feature. This allows for easy failover to the passive unit if there is a problem on the primary during the update or as a result of a problem that arises after the update. When the updates are staggered, the download-and-install times should be at least 30 minutes apart between HA members to allow the update to download and install before the process begins on the peer.

owner: djipp