High-Availability - Out of sync peers - Dynamic Content
20962
Created On 04/25/22 17:58 PM - Last Modified 08/23/23 22:42 PM
Symptom
Alert regarding "Out of Sync Peers - Dynamic Content"
Environment
- PAN-OS
- High-availability
Cause
The Dynamic content version of one device in a high-availability setup is different then the Dynamic content version of the other peer.
Resolution
- Login to the UI of the "active" Firewall for A/P setup ("active primary" Firewall for A/A setup) and under the Dashboard tab check the high-availability widget.
- Check the red circle(s) for one or many of the following Dynamic updates: App Version, Threat Version, Antivirus Version and GlobalProtect Version to see which Dynamic update doesn't have the same version installed on both peers.
- Hoover your mouse over the red circle(s) mentioned above to see which version is installed on the local firewall versus the peer.
- Match the Dynamic update versions between the firewalls in the HA setup:
- For locally managed firewalls, by downloading and installing the dynamic update under Device> Dynamic Updates:
- For A/P setup it is recommended to match the "passive" dynamic update version with the "active" by installing on the "passive" firewall the same content version as the one installed on the "active".
- For A/A since both firewalls are passing the traffic best to schedule time outside the office hours to match the content version between the firewalls by updating the one that has the lowest version to match the one that has the higher version.
- For Panorama managed firewalls where Dynamic Updates are scheduled to be pushed by Panorama, by downloading if needed the dynamic update under Panorama UI > Panorama> Device deployment> Dynamic Updates then clicking install and selecting the firewall that needs to match the same version of the content update of its peer.
- For A/P setup it is recommended to match the "passive" dynamic update version with the "active".
- For A/A since both firewalls are passing the traffic best to schedule time outside the office hours to match the content version between the firewalls by updating the one that has the lowest version to match the one that has the higher version.
- To avoid this mismatch of dynamic content issue from reoccurring.
- For locally managed firewalls make sure that only the primary firewall has a schedule for dynamic update and the sync to peer is selected under the schedule Device>Dynamic Updates. Or if needed to schedule also a dynamic update for the secondary firewall then make sure that the schedule is different with a minimum gap of 30 minutes and that the sync to peer is checked see KB article Scheduled Dynamic Updates In An HA Environment.
- For Panorama managed firewalls and where the Dynamic update is pushed from Panorama make sure that the same schedule is applied to both firewalls in HA.
Additional Information
For more information about:
Panorama Schedule Dynamic Content Updates visit Schedule Dynamic Content Update and Schedule a Content Update Using Panorama.
Dynamic Content Updates visit Dynamic Content Updates.
Local Schedule Dynamic Content Updates visit Deploy Applications and Threats Content Updates