PA running-config Synchronisation

Announcements

ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

Reply
Highlighted
L1 Bithead

PA running-config Synchronisation

I have migrated HA pair in Panoroma.

Let's say I make some changes from Panoroma and push to only active device.

Now with config sync enabled locally on the firewalls, will it sync the running config to passive device. Panoroma shows config out of synch on passive device that's fine as it's one way sync but on actual firewall  will it be synchronised?


Accepted Solutions
Highlighted
Cyber Elite

Hello,

It will not sync since the PAN's know they are managed by Panorama. Best is to either push to both, or set the two PAN's on Panorama to be an HA pair. That way the Panorama knows they are an HA pair and will send the config to both devices.

 

Hope that helps.

View solution in original post

Highlighted
Cyber Elite

I just tested in lab.

You are correct if you push config only to Active PA from panorama then both active and passive PA shows running config in sync.

Candidate config is not same on both PA.

Whenever we do changes we do on the candidate config.

 

I checked Panorama shows out of syn for passive PA as this is expected behavior when we only push config to active PA from 

panorama.

 

MP

View solution in original post


All Replies
Highlighted
Cyber Elite

Hello,

It will not sync since the PAN's know they are managed by Panorama. Best is to either push to both, or set the two PAN's on Panorama to be an HA pair. That way the Panorama knows they are an HA pair and will send the config to both devices.

 

Hope that helps.

View solution in original post

L1 Bithead

Hi, Thanks for the reply, but my doubt is though it doesn't get synchronised in Panoroma/ Panoroma pushed config on secondary device then ideally firewall should show mismatch on ha status but it shows synchronised does it mean the running-config on device is synchronised but doesn't reflect in Panoroma managed configuration on device.

Highlighted
Cyber Elite

When you push the config from panorama to say active device only then passive device will not get the config.

On PA you will see that config is not in syn between active and passive device.

 

HA status of both devices will show in syn as it does not care about configuration if I am correct.

When you see config not syn between active and passive it mean that running config of both devices is not same.

 

MP
Highlighted
L1 Bithead

Infact I saw running-config was showing Synchronised on firewalls when I pushed the configuration only to one of the device from Panoroma though on other device configuration was not reflecting on the gui screen. Will do more testing if time permits.

Highlighted
Cyber Elite

I just tested in lab.

You are correct if you push config only to Active PA from panorama then both active and passive PA shows running config in sync.

Candidate config is not same on both PA.

Whenever we do changes we do on the candidate config.

 

I checked Panorama shows out of syn for passive PA as this is expected behavior when we only push config to active PA from 

panorama.

 

MP

View solution in original post

Highlighted
L1 Bithead

Thanks for confirmation by testing in lab.

It's little confusing sometime while working with Panoroma.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!