Panorama template status becomes out-of-sync with master key encryption level 2

• Templates go out of sync, even after pushing them back in sync with Panorama
• The only config difference seen is password hash values / secrets changing
• No config changes have been made by the admin

• Any Panorama
• PAN-OS 10.0+
• Master Key level set to 2

• When the master key level is changed to level 2 (default is level 0), various "template-config-generation" scenarios cause secrets in the config to be re-hashed and changed
• The changed secret values cause the Panorama template to become out of sync
• Various scenarios can trigger template-config-generation:
  
  • Changes to the device-group or shared config linked to the template
  • Changes to other templates that are part of the stack (e.g., a referenced template is modified)
  • HA sync from peer Panorama
• When encryption level is 0, template-config-generation results in the same secret hashes so the template stays in-sync
• When encryption level is 2, template-config-generate results in different secrets which puts the template out-of-sync

• Feature request NSFR-I-28243 is filed to keep template status in-sync if the only template config change is the re-hashed secret
• To temporarily resolve the issue, perform a template push which will put the status back in-sync

As mentioned in the config guide (Configure Master Key Encryption Level), only use AES-256-GCM when Panorama and all of its managed devices (or both devices in an HA pair) run PAN-OS 10.1 or greater and configure all of the devices to use AES-256-GCM. Managed or paired devices that use different encryption levels may become out of sync.