Reason for out of sync message in Panorama?

cancel
Showing results for 
Search instead for 
Did you mean: 

Reason for out of sync message in Panorama?

L1 Bithead

I didn't see anything for this in the Pano admin guide or in other discussions here, but how can I see the reason for an "Out of sync" message in the device summary list in Panorama? 

1 ACCEPTED SOLUTION

Accepted Solutions

Cyber Elite
Cyber Elite

@Mr_Kaplan,

 

Whenever there are any changes committed under Panorama but yet to be commit it on managed gateways then that particular managed devices shows  "out of sync" under device summary. Now it depends where changes are made, if changes are made under Device group and committed those changes on Panorama, then only device group policy will show out of sync, and if changes are done under template then template will show as out of sync. And if changes are done on both (device group and Template), then both will show out of sync.

 

Unless and until you commit all those changes on managed gateway using Push to devices option under Panorama, it will not show in sync. If you're not sure what changes are made on Panorama in that particular DG, Template or both, you can preview those changes.

Please follow below steps to preview changes,

 

On Panorama,

1. Goto commit option and select Push to devices option

2. You'll see desired DG/Template which is out of sync

3. Goto Edit Selections and select Preview Changes for the out of sync device

4. Choose the number of context lines to display configuration differences between Panorama and Managed device.

 

NOTE - You may need to allow pop-ups to display preview changes.

 

Hope it helps!

Mayur

 

 

Mayur.S

View solution in original post

7 REPLIES 7

Cyber Elite
Cyber Elite

@Mr_Kaplan,

 

Whenever there are any changes committed under Panorama but yet to be commit it on managed gateways then that particular managed devices shows  "out of sync" under device summary. Now it depends where changes are made, if changes are made under Device group and committed those changes on Panorama, then only device group policy will show out of sync, and if changes are done under template then template will show as out of sync. And if changes are done on both (device group and Template), then both will show out of sync.

 

Unless and until you commit all those changes on managed gateway using Push to devices option under Panorama, it will not show in sync. If you're not sure what changes are made on Panorama in that particular DG, Template or both, you can preview those changes.

Please follow below steps to preview changes,

 

On Panorama,

1. Goto commit option and select Push to devices option

2. You'll see desired DG/Template which is out of sync

3. Goto Edit Selections and select Preview Changes for the out of sync device

4. Choose the number of context lines to display configuration differences between Panorama and Managed device.

 

NOTE - You may need to allow pop-ups to display preview changes.

 

Hope it helps!

Mayur

 

 

Mayur.S

View solution in original post

Is there a way in which we can get an automated email from Panorama that the FW templates are out of Sync?

So we are having out of sync on 1 firewall and not the other these are vm-series in AWS and managed by Panorama. version 1043 is the in sync fw, version 1034 is the out of sync firewall. We tried to force to the out of sync fw but just keeps failing.

L5 Sessionator

Hello @MatthewKruc1177

 

could you please check reason why configuration pushing is failing from Panorama to this Firewall? You can re-call details of last failure from:

 

Panorama > Managed Devices > Summary > [Search firewall that is out of sync] and navigate to Shared Policy Last Commit State / Template Last Commit State, then copy details from: Last Push State Details window.

 

There are many reasons why managed Firewall gets out of sync, but getting details of failure would be starting point. Also make sure that Panorama is running higher or the same PAN-OS version than managed Firewall.

 

Kind Regards

Pavel

Help the community: Like helpful comments and mark solutions.

Because of the Log4j we only upgraded the Panorama to 10.1.3-h1 and fws are 10.0.6.

Hello @Shikha652

 

I am not aware of any built-in Panorama feature to get alert for out of sync Firewalls, however you could get around it by setting up email alert against system logs. The reason why out of sync happens is because changes that are committed to Panorama's Device Group/Template are not pushed to managed Firewalls. If the push fails, there is an system log generated. For example below filter:

 

PavelK_0-1640057337187.png

Kind Regards

Pavel

 

Help the community: Like helpful comments and mark solutions.

L0 Member

The reason for the failure is given in the message, Here are some checks that should be made when Panorama is out of sync with one of many managed.

My CC Pay

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!