06-18-2020 07:09 AM
I have migrated HA pair in Panoroma.
Let's say I make some changes from Panoroma and push to only active device.
Now with config sync enabled locally on the firewalls, will it sync the running config to passive device. Panoroma shows config out of synch on passive device that's fine as it's one way sync but on actual firewall will it be synchronised?
06-18-2020 08:29 AM
Hello,
It will not sync since the PAN's know they are managed by Panorama. Best is to either push to both, or set the two PAN's on Panorama to be an HA pair. That way the Panorama knows they are an HA pair and will send the config to both devices.
Hope that helps.
06-19-2020 08:49 AM
I just tested in lab.
You are correct if you push config only to Active PA from panorama then both active and passive PA shows running config in sync.
Candidate config is not same on both PA.
Whenever we do changes we do on the candidate config.
I checked Panorama shows out of syn for passive PA as this is expected behavior when we only push config to active PA from
panorama.
06-18-2020 08:29 AM
Hello,
It will not sync since the PAN's know they are managed by Panorama. Best is to either push to both, or set the two PAN's on Panorama to be an HA pair. That way the Panorama knows they are an HA pair and will send the config to both devices.
Hope that helps.
06-18-2020 08:46 AM
Hi, Thanks for the reply, but my doubt is though it doesn't get synchronised in Panoroma/ Panoroma pushed config on secondary device then ideally firewall should show mismatch on ha status but it shows synchronised does it mean the running-config on device is synchronised but doesn't reflect in Panoroma managed configuration on device.
06-18-2020 09:01 PM
When you push the config from panorama to say active device only then passive device will not get the config.
On PA you will see that config is not in syn between active and passive device.
HA status of both devices will show in syn as it does not care about configuration if I am correct.
When you see config not syn between active and passive it mean that running config of both devices is not same.
06-18-2020 11:40 PM
Infact I saw running-config was showing Synchronised on firewalls when I pushed the configuration only to one of the device from Panoroma though on other device configuration was not reflecting on the gui screen. Will do more testing if time permits.
06-19-2020 08:49 AM
I just tested in lab.
You are correct if you push config only to Active PA from panorama then both active and passive PA shows running config in sync.
Candidate config is not same on both PA.
Whenever we do changes we do on the candidate config.
I checked Panorama shows out of syn for passive PA as this is expected behavior when we only push config to active PA from
panorama.
06-19-2020 08:56 AM
Thanks for confirmation by testing in lab.
It's little confusing sometime while working with Panoroma.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
