Reason for out of sync message in Panorama?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Palo Alto Networks Approved
Palo Alto Networks Approved
Community Expert Verified
Community Expert Verified

Reason for out of sync message in Panorama?

L1 Bithead

I didn't see anything for this in the Pano admin guide or in other discussions here, but how can I see the reason for an "Out of sync" message in the device summary list in Panorama? 

1 accepted solution

Accepted Solutions

L6 Presenter

@Mr_Kaplan,

 

Whenever there are any changes committed under Panorama but yet to be commit it on managed gateways then that particular managed devices shows  "out of sync" under device summary. Now it depends where changes are made, if changes are made under Device group and committed those changes on Panorama, then only device group policy will show out of sync, and if changes are done under template then template will show as out of sync. And if changes are done on both (device group and Template), then both will show out of sync.

 

Unless and until you commit all those changes on managed gateway using Push to devices option under Panorama, it will not show in sync. If you're not sure what changes are made on Panorama in that particular DG, Template or both, you can preview those changes.

Please follow below steps to preview changes,

 

On Panorama,

1. Goto commit option and select Push to devices option

2. You'll see desired DG/Template which is out of sync

3. Goto Edit Selections and select Preview Changes for the out of sync device

4. Choose the number of context lines to display configuration differences between Panorama and Managed device.

 

NOTE - You may need to allow pop-ups to display preview changes.

 

Hope it helps!

Mayur

 

 

M

Check out my YouTube channel - https://www.youtube.com/@NetworkTalks

View solution in original post

11 REPLIES 11

L6 Presenter

@Mr_Kaplan,

 

Whenever there are any changes committed under Panorama but yet to be commit it on managed gateways then that particular managed devices shows  "out of sync" under device summary. Now it depends where changes are made, if changes are made under Device group and committed those changes on Panorama, then only device group policy will show out of sync, and if changes are done under template then template will show as out of sync. And if changes are done on both (device group and Template), then both will show out of sync.

 

Unless and until you commit all those changes on managed gateway using Push to devices option under Panorama, it will not show in sync. If you're not sure what changes are made on Panorama in that particular DG, Template or both, you can preview those changes.

Please follow below steps to preview changes,

 

On Panorama,

1. Goto commit option and select Push to devices option

2. You'll see desired DG/Template which is out of sync

3. Goto Edit Selections and select Preview Changes for the out of sync device

4. Choose the number of context lines to display configuration differences between Panorama and Managed device.

 

NOTE - You may need to allow pop-ups to display preview changes.

 

Hope it helps!

Mayur

 

 

M

Check out my YouTube channel - https://www.youtube.com/@NetworkTalks

Is there a way in which we can get an automated email from Panorama that the FW templates are out of Sync?

So we are having out of sync on 1 firewall and not the other these are vm-series in AWS and managed by Panorama. version 1043 is the in sync fw, version 1034 is the out of sync firewall. We tried to force to the out of sync fw but just keeps failing.

Matthew Kruckenberg

Cyber Elite
Cyber Elite

Hello @MatthewKruc1177

 

could you please check reason why configuration pushing is failing from Panorama to this Firewall? You can re-call details of last failure from:

 

Panorama > Managed Devices > Summary > [Search firewall that is out of sync] and navigate to Shared Policy Last Commit State / Template Last Commit State, then copy details from: Last Push State Details window.

 

There are many reasons why managed Firewall gets out of sync, but getting details of failure would be starting point. Also make sure that Panorama is running higher or the same PAN-OS version than managed Firewall.

 

Kind Regards

Pavel

Help the community: Like helpful comments and mark solutions.

Because of the Log4j we only upgraded the Panorama to 10.1.3-h1 and fws are 10.0.6.

Matthew Kruckenberg

Hello @Shikha652

 

I am not aware of any built-in Panorama feature to get alert for out of sync Firewalls, however you could get around it by setting up email alert against system logs. The reason why out of sync happens is because changes that are committed to Panorama's Device Group/Template are not pushed to managed Firewalls. If the push fails, there is an system log generated. For example below filter:

 

PavelK_0-1640057337187.png

Kind Regards

Pavel

 

Help the community: Like helpful comments and mark solutions.

L1 Bithead

Hello guys,

 

have a similar problem.
When I make the commit, two firewalls (HA) of a device group fail, and I could verify that the Shared Policy is out of Sync (version 1024), and Template Policy Sync ok (version 1054).
I've seen the settings, but I don't know what to do for them to get Sync ok.

 

Can you help me?

 

Cyber Elite
Cyber Elite

Hello @Wilian1984

 

I would suggest to navigate to: Panorama > Managed Devices > Summary > then click on "commit failed" to get detailed information what prevented successful push in Device Group. Based on details of the error, I would move troubleshooting further.

 

Kind Regards

Pavel

Help the community: Like helpful comments and mark solutions.

L1 Bithead

Hello PavelK, and Thankyou!

 

I found :

 

 

 

  • Error: application 'ntp-base' not found

  • (Module: device

  • Commit failed

  • There is only the object of this base ntp. 

     

  •  

  •  

Hello,

 

I have the same issues; the solution was updating the dynamics updates with latest one.

L6 Presenter

@MPappachan 

 

"out of sync" status under Panorama is specific to config changes done under device group and/or template on Panorama but not committed the changes to the respective devices.

M

Check out my YouTube channel - https://www.youtube.com/@NetworkTalks
  • 1 accepted solution
  • 64231 Views
  • 11 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!