Applications and Threats Error "Configuration changes not allowed on the passive Panorama"

Applications and Threats Error "Configuration changes not allowed on the passive Panorama"

16107
Created On 01/24/20 08:23 AM - Last Modified 07/31/24 20:31 PM


Symptom


  • When trying to download or install "Applications and Threats" from Panorama > Dynamic Updates on the Passive Panorama configured in HA, the following error is seen.
Error
Configuration changes not allowed on the passive Panorama
User-added image
  • Downloading Antivirus or WildFire updates work fine on the same passive device.

Environment


  • Multiple Panorama devices configured in HA

Cause


This would happen because the commit changes are not allowed in HA Passive Panorama.
The active peer handles all the configuration changes and pushes them to the managed firewalls; the passive peer cannot make any configuration changes or push configuration to the managed firewalls.

See following links for Panorama Failover for more details.
https://docs.paloaltonetworks.com/panorama/9-1/panorama-admin/panorama-high-availability/priority-and-failover-on-panorama-in-ha

https://docs.paloaltonetworks.com/panorama/9-1/panorama-admin/panorama-high-availability/manage-a-panorama-ha-pair/test-panorama-ha-failover

AntiVirus and WildFire update does not affect the configuration, but Apps and Threats may cause the configuration change.
So it is not allowed in HA Passive Panorama.
 

Resolution


If you would like to update Applications and Threats from HA Panorama pair, please proceed it in HA Active Panorama side using "Sync to HA Peer" option.
  1. From Active Panorama WebGUI, go to Panorama > Dynamic Updates > Applications and Threats 
  2. Click Download, then (once download completes) click Install 
  3. Check Sync to HA Peer, and click "Continue Installation"
User-added image

Additional Information


If the Active Panorama already has the Application and Threats version installed, you will need to re-install in order to "Sync to HA Peer"
  1. On the Active Panorama, click Install From File button at bottom of Dynamic Updates page
  2. On Package Type, select Applications and Threats, click OK
  3. Select the File Name that is currently installed, check "Sync to HA Peer", click OK
Install Application and Threats from file
 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000POO5CAO&lang=en_US%E2%80%A9&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language