07-02-2024 01:37 AM
Hi,
We have two FW PA460 in HA, one active and another one passive. We have several issues related to configuration synchronization and HA:
1- Synchronization before a commit can take us up to 8 minutes. With the old FW the commit was in less than a minute and with these newer models we have gotten worse. It wouldn't affect us if it wasn't that in cases like FW OS updates we are out of service and we think this time should be improveable by this model
2- When there is a change from passive-active and active-passive we have a network cut of between 3 and 4 minutes. We have verified that it is not the LACP negotiation of the IFs but rather the FWs that are taking all this time to realize the cut or to make the change. HA is not useful to us if it takes 4 minutes to make the change. We bought both PA460's instead of just one so we could have HA and we're not getting the benefit of it. We have been advised that it appears to be a bug on the PA460/400, but after a year (we installed the FWs in June/July 2023) we still have the problem despite receiving updates.
3- We have certificates installed in "ghost" FWs that we don't see in the GUI. We created these a few months ago and they didn't show up once generated, but they are present in the config XML. We see it in two places:
A) When we commit we get warnings indicating that we have 3 duplicate certificates but we only have one in the GUI in "Device > Certificates".
B) From the CLI listing the certificates we have different unique certificates that we don't see in the GUI but we do in the CLI.
Any idea? i already detected PanOS > 9.1 are much lower than previous versions 😞
