Why is a full push required on Panorama after an HA failover?

Why is a full push required on Panorama after an HA failover?

• Panorama
• PAN-OS 10.2, 11.1 and 11.2

There are two reasons why a full push is required after a Panorama HA failover:

1. The replayDB, which records all the configuration changes (both uncommitted and committed) is not synchronized between the primary and secondary Panorama. This could result in incorrect configuration being pushed, missing configuration or validation errors when pushing the configuration to the managed firewalls.

2. The configuration version numbers are not the same in the primary and secondary Panorama. The configuration of the different Device Groups and Templates is synchronized but they have different version numbers.

Configuration versions after full push from primary Panorama:

Configuration versions after full push from secondary Panorama:

As seen in the above screenshots, the configuration version numbers from primary and secondary Panorama are totally different.

Selective push (or partial push) uses the configuration version number to check in the replayDB which configuration needs to be pushed. As the configuration was pushed from the primary Panorama before the HA failover, the version number assigned to the device is still matching the primary Panorama and not the secondary. Therefore, it will not find a matching version number in the secondary Panorama replayDB and the push is going to fail.

The version number assigned to a managed device is going to be updated after a full push.

After doing a one-time full push after a Panorama HA failover, Selective push (partial push) can be done successfully if desired.

NOTE for multi-vsys firewalls:

Starting with PAN-OS 10.2, there is a feature called “Shared optimization” to push the shared objects from Panorama to multi-vsys firewalls. Instead of duplicating each of the shared objects to each of the vsys it uses a new location in the firewall called “Panorama shared”.

To avoid validation errors with shared objects, it is a best practice to always push the configuration to all the vsys and not only to the one that has been modified.

To do it, in the “Push Scope Selection” menu it is necessary to uncheck the “Filter selected” option. After unchecking it, the unmodified Device Groups or Templates can also be selected.

Selective push best practices:

https://live.paloaltonetworks.com/t5/general-articles/demystifying-selective-push-on-panorama/ta-p/1231335

Selective push admin guide:

https://docs.paloaltonetworks.com/panorama/11-1/panorama-admin/administer-panorama/push-selective-configuration-changes-to-managed-devices#idebe466f6-b1c1-4ef0-a607-25eee8ff2516

Push to multi-vsys firewalls:

https://docs.paloaltonetworks.com/panorama/11-1/panorama-admin/manage-firewalls/manage-device-groups/device-group-push-to-a-multi-vsys-firewall