Panorama managed HA cluster device facing High-availability configuration overridden when there is a HA configuration sync from the peer
8649
Created On 09/08/23 12:26 PM - Last Modified 04/22/24 04:42 AM
Symptom
- PA Firewalls (any models) setup in Active/Passive or Active/Active running any version of PanOS.
- The high availability settings are completely managed from Panorama by making use of variables.
- When a local change on the Active firewall is done, for instance create a "report" as this option is not available on Panorama, this would trigger a configuration sync operation to the peer. Attached screenshot from before HA sync:
- After the configuration sync operation all the HA settings on the Passive firewall gets overridden. Screenshot attached as follows:
- Once the settings gets overridden none of the changes to the HA settings made from Panorama gets reflected on the firewall until a "Force Template" is applied.
Environment
- Any PAN-OS
- Any Hardware
- Any HA configuration (Active/Passive or Active/Active)
Cause
- When HA sync happens on the peer firewall, the config that is shared to the firewall has high availability node in the xml.
- The high availability node is also read from the template-config.xml which is merged along with High availability node from the sync request and landing in running-config.xml.
- In order to prevent further issues and assure stability in the behavior of PAN-OS, it is necessary to keep the current setting.
- This behavior is pre-existing and cannot be modified, so will be documented accordingly in the admin guide once the fix for the config out of sync is available.
- Please review release notes and search for PAN-216214
Resolution
- If the devices are supposed to be managed by Panorama, it is a best practice to disable HA config sync and manage everything from Panorama