Pannorama and HA Cluster

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Pannorama and HA Cluster

L4 Transporter


i would like to know how the commit process works when i push commit on pannoaram to HA device group.

1) does Panorama send the configuration to both of the device and then commit it?

2) does Panorama send it only to one device and it commits it to the other device?

i have a situation of a PA HA cluster, and only one device was inserted to the Panorama and the result was that both of the device were synced but the policy was actually exists on one of the devices and on the other device there was no policy. from this i assume that panorama probably insert the serial number of the "to be deployed" PA device when it sends the policy to the device,

i would like see the white papers of this process

thank you



L4 Transporter


You would have to add both the serial numbers of the HA member device in order to push the config to them from the Panorama. If you send the configuration from the Panorama to only one device , the Panorama pushed  config does not sync up between two HA pairs. You can add the two devices in one device group and pushed the configuration to them.

What about if i have HA Cluster and i do service route for the Panorama through the untrust interface?

Panorama will see both of the device with the same IP right? so how will the configuration be pushed to both of the devices?

If you use untrust interface of the device as service route, the configuration will be pushed only to active device (assuming policies are configured correctly) because only 1 ip is active at a time for active/passive, even though you have same ip on both device.  Suggested configuration would be to use management interface itself. Since management ip address are unique for both device, you will not have any issues and will prevent extra bandwidth consumption on untrust interface.

Hope this helps.

it depands.... because panorama will also manage PA device through VPN  S2S and that will make my the connection between the panorama and the device rely on the VPN conneciton, so i cannot really move all the functionality from the device to the panorama

i would like to see that ability that Panorama will push the configuration to the active one and then the policy will be synced to the other one...

this is already done when i change for example the Interface of one PA device and push commit, the changed will also be done on the other device because most of the configuration are global to the HA Cluster, then the configuration can be done on a shared template for both of the device and specific configuration will be done on the device. (in all cases i am talking on active passive cluster)

Panorama pushed config does not sync over from the Active PA to the Passive PA.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!