09-21-2018 11:02 AM
I have setup an HA pair of 5220s and have them added in Panorama all running on 8.1.2. I have setup the Templates and can push out changes to the HA pair. I tried to push an IP change to a subinterface on the pair and though both Panorama and the HA Pair claim to have accepted and commited the changes, the HA Pair still has the old IPs and Pano has the new ones, so they are out of sync. I verified that the 5220s are not overridden on this setting and they claim to be using the template from Pano. I started looking through the template Capabilities and Exceptions and I came across this line "Configure the IP addresses of firewalls in an HA pair" as an exception. Just wanted to see if anyone else has run into this and if it applies to my situation.
09-21-2018 12:17 PM
There are some settings we recently ran into that did not take effect until we cycled the template button on the firewall.
Here is an example:
Device Tab >> Setup >> Interfaces
There are settings assigned to allow management from specific IP addresses on the Management interface. These settings are pushed out via Panorama and a device teamplate.
When we logged into the firewall and went to the same place, the "Permitted IP Addresses" list had our previous entries. We had to toggle the gear button "On" to allow the device template settings to override the values we had configured previously on the FW. It looks like that is a protection to prevent you from doing something silly and losing your initial values.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!