12-26-2023 10:09 AM - edited 12-26-2023 10:11 AM
Hi all,
I have a PA-220 HA pair without licenses running on PANOS 9.1.13-h3. Recently I had an issue with a HA passive Firewall, so it had to be replaced. I extracted the active firewall's running-config and uploaded it into the new passive one. I was able to synchronize App&Threat version by re-installing the active's FW current version. I have 2 problems now:
1. Whenever I execute the command request high-availability sync-to-remote running-config I keep getting the error
Server error : Failed to synchronize running configuration with HA peer; operation not allowed: Version mismatch with Peer for DLP
I do not have DLP configured in this FW neither see any tab to do it.
2. Apparently, neither FW has any Antivirus version installed but when i execute show system info on the active one, I have this output:
I tried deleting the actual AV version but the file doesn't seem to exist, I don't see any files to actually delete.
My hypothesis is that I can't sync both firewall until AV version is matched but I'm not really sure.
Does anyone have an idea to what could be wrong here?
12-29-2023 05:49 AM
Im updating this with a possible solution for this problem that worked for me. The problematic device was used for labs before it was sent to production. In the lab we used PANOS 10, where the DLP plugin was automatically installed. I downgraded the device to PANOS 9 as the active one in production was already in that version. DLP plugin is not deleted automatically when you downgrade, so there's the root of the problem.
For the HA Pair to syncronize properly I had to upgrade the firewall back to PANOS 10 and manually delete the DLP Plugin. Then come back to the current PANOS 9 version then I could syncronize as normal.
12-27-2023 12:11 PM
Hi @JuanFelipeAyala ,
Can you speak more about your firewalls being unlicensed? It looks like you at least have threat prevention and URL-filtering. Before setting up your transfer device, I would recommend following How to Configure and RMA replacement firewall. The replacement device must be set up with the previous firewalls' licenses. As far as HA is concerned, both firewalls should have an identical set of licenses as well as matching versions for app, threat, antivirus, and PAN-OS. Once you can get the antivirus matched, I would check to see if you have any additional errors when trying to sync HA.
12-29-2023 05:49 AM
Im updating this with a possible solution for this problem that worked for me. The problematic device was used for labs before it was sent to production. In the lab we used PANOS 10, where the DLP plugin was automatically installed. I downgraded the device to PANOS 9 as the active one in production was already in that version. DLP plugin is not deleted automatically when you downgrade, so there's the root of the problem.
For the HA Pair to syncronize properly I had to upgrade the firewall back to PANOS 10 and manually delete the DLP Plugin. Then come back to the current PANOS 9 version then I could syncronize as normal.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
