- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
05-15-2020 01:20 PM
I didn't see anything for this in the Pano admin guide or in other discussions here, but how can I see the reason for an "Out of sync" message in the device summary list in Panorama?
05-17-2020 01:53 AM
Whenever there are any changes committed under Panorama but yet to be commit it on managed gateways then that particular managed devices shows "out of sync" under device summary. Now it depends where changes are made, if changes are made under Device group and committed those changes on Panorama, then only device group policy will show out of sync, and if changes are done under template then template will show as out of sync. And if changes are done on both (device group and Template), then both will show out of sync.
Unless and until you commit all those changes on managed gateway using Push to devices option under Panorama, it will not show in sync. If you're not sure what changes are made on Panorama in that particular DG, Template or both, you can preview those changes.
Please follow below steps to preview changes,
On Panorama,
1. Goto commit option and select Push to devices option
2. You'll see desired DG/Template which is out of sync
3. Goto Edit Selections and select Preview Changes for the out of sync device
4. Choose the number of context lines to display configuration differences between Panorama and Managed device.
NOTE - You may need to allow pop-ups to display preview changes.
Hope it helps!
Mayur
05-17-2020 01:53 AM
Whenever there are any changes committed under Panorama but yet to be commit it on managed gateways then that particular managed devices shows "out of sync" under device summary. Now it depends where changes are made, if changes are made under Device group and committed those changes on Panorama, then only device group policy will show out of sync, and if changes are done under template then template will show as out of sync. And if changes are done on both (device group and Template), then both will show out of sync.
Unless and until you commit all those changes on managed gateway using Push to devices option under Panorama, it will not show in sync. If you're not sure what changes are made on Panorama in that particular DG, Template or both, you can preview those changes.
Please follow below steps to preview changes,
On Panorama,
1. Goto commit option and select Push to devices option
2. You'll see desired DG/Template which is out of sync
3. Goto Edit Selections and select Preview Changes for the out of sync device
4. Choose the number of context lines to display configuration differences between Panorama and Managed device.
NOTE - You may need to allow pop-ups to display preview changes.
Hope it helps!
Mayur
10-15-2020 10:00 AM
Is there a way in which we can get an automated email from Panorama that the FW templates are out of Sync?
12-20-2021 06:28 PM
So we are having out of sync on 1 firewall and not the other these are vm-series in AWS and managed by Panorama. version 1043 is the in sync fw, version 1034 is the out of sync firewall. We tried to force to the out of sync fw but just keeps failing.
12-20-2021 07:00 PM
Hello @MatthewKruc1177
could you please check reason why configuration pushing is failing from Panorama to this Firewall? You can re-call details of last failure from:
Panorama > Managed Devices > Summary > [Search firewall that is out of sync] and navigate to Shared Policy Last Commit State / Template Last Commit State, then copy details from: Last Push State Details window.
There are many reasons why managed Firewall gets out of sync, but getting details of failure would be starting point. Also make sure that Panorama is running higher or the same PAN-OS version than managed Firewall.
Kind Regards
Pavel
12-20-2021 07:15 PM
Because of the Log4j we only upgraded the Panorama to 10.1.3-h1 and fws are 10.0.6.
12-20-2021 07:30 PM
Hello @Shikha652
I am not aware of any built-in Panorama feature to get alert for out of sync Firewalls, however you could get around it by setting up email alert against system logs. The reason why out of sync happens is because changes that are committed to Panorama's Device Group/Template are not pushed to managed Firewalls. If the push fails, there is an system log generated. For example below filter:
Kind Regards
Pavel
10-24-2022 12:59 PM
Hello guys,
have a similar problem.
When I make the commit, two firewalls (HA) of a device group fail, and I could verify that the Shared Policy is out of Sync (version 1024), and Template Policy Sync ok (version 1054).
I've seen the settings, but I don't know what to do for them to get Sync ok.
Can you help me?
10-24-2022 06:27 PM
Hello @Wilian1984
I would suggest to navigate to: Panorama > Managed Devices > Summary > then click on "commit failed" to get detailed information what prevented successful push in Device Group. Based on details of the error, I would move troubleshooting further.
Kind Regards
Pavel
10-26-2022 11:49 AM
Hello PavelK, and Thankyou!
I found :
Error: application 'ntp-base' not found
(Module: device
Commit failed
There is only the object of this base ntp.
11-16-2022 06:29 AM
Hello,
I have the same issues; the solution was updating the dynamics updates with latest one.
11-30-2022 04:14 AM
"out of sync" status under Panorama is specific to config changes done under device group and/or template on Panorama but not committed the changes to the respective devices.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!