>
    Strata Copilot
    What Settings Don’t Sync in Active/Active HA?
    Focus
    Download PDF
    Focus
    1. Home
    2. PAN-OS
    3. High Availability
    4. Reference: HA Synchronization
    5. What Settings Don’t Sync in Active/Active HA?
    Download PDF

    What Settings Don’t Sync in Active/Active HA?

    Table of Contents
    End-of-Life (EoL)

    What Settings Don’t Sync in Active/Active HA?

    You must configure the following settings on each firewall in an HA pair in an active/active deployment. These settings do not sync from one peer to another.
    Configuration Item
    What Doesn’t Sync in Active/Active?
    Management Interface Settings
    You must configure all management settings individually on each firewall, including:
    • DeviceSetupManagementGeneral Settings—Hostname, Domain, Login Banner, SSL/TLS Service Profile (and associated certificates), Time Zone, Locale, Date, Time, Latitude, Longitude.
    • DeviceSetupManagementManagement Interface Settings—IP Address, Netmask, Default Gateway, IPv6 Address/Prefix Length, Default IPv6 Gateway, Speed, MTU, and Services (HTTP, HTTP OCSP, HTTPS, Telnet, SSH, Ping, SNMP, User-ID, User-ID Syslog Listener-SSL, User-ID Syslog Listener-UDP)
    Multi-vsys Capability
    You must activate the Virtual Systems license on each firewall in the pair to increase the number of virtual systems beyond the base number provided by default on PA-3200 Series, PA-5200 Series, and PA-7000 Series firewalls.
    You must also enable Multi Virtual System Capability on each firewall (DeviceSetupManagementGeneral Settings).
    Panorama Settings
    Set the following Panorama settings on each firewall (DeviceSetupManagementPanorama Settings).
    • Panorama Servers
    • Disable Panorama Policy and Objects and Disable Device and Network Template
    SNMP
    DeviceSetupOperationsSNMP Setup
    Services
    DeviceSetupServices
    Global Service Routes
    DeviceSetupServicesService Route Configuration
    Telemetry and Threat Intelligence Settings
    DeviceSetupTelemetry and Threat Intelligence
    Data Protection
    DeviceSetupContent-IDManage Data Protection
    Jumbo Frames
    DeviceSetupSessionSession SettingsEnable Jumbo Frame
    Packet Buffer Protection
    DeviceSetupSessionSession SettingsPacket Buffer Protection
    NetworkZonesEnable Packet Buffer Protection
    Forward Proxy Server Certificate Settings
    DeviceSetupSessionDecryption SettingsSSL Forward Proxy Settings
    HSM Configuration
    DeviceSetupHSM
    Log Export Settings
    DeviceScheduled Log Export
    Software Updates
    With software updates, you can either download and install them separately on each firewall, or download them on one peer and sync the update to the other peer. You must install the update on each peer (DeviceSoftware).
    GlobalProtect Agent Package
    With GlobalProtect app updates, you can either download and install them separately on each firewall, or download them to one peer and sync the update to the other peer. You must activate separately on each peer (DeviceGlobalProtect Client).
    Content Updates
    With content updates, you can either download and install them separately on each firewall, or download them on one peer and sync the update to the other peer. You must install the update on each peer (DeviceDynamic Updates).
    Licenses/Subscriptions
    DeviceLicenses
    Support Subscription
    DeviceSupport
    Ethernet Interface IP Addresses
    All Ethernet interface configuration settings sync except for the IP address (NetworkInterfaceEthernet).
    Loopback Interface IP Addresses
    All Loopback interface configuration settings sync except for the IP address (NetworkInterfaceLoopback).
    Tunnel Interface IP Addresses
    All Tunnel interface configuration settings sync except for the IP address (NetworkInterfaceTunnel).
    LACP System Priority
    Each peer must have a unique LACP System ID in an active/active deployment (NetworkInterfaceEthernetAdd Aggregate GroupSystem Priority).
    VLAN Interface IP Address
    All VLAN interface configuration settings sync except for the IP address (NetworkInterfaceVLAN).
    Virtual Routers
    Virtual router configuration synchronizes only if you have enabled VR Sync (DeviceHigh AvailabilityActive/Active ConfigPacket Forwarding). Whether or not to do this depends on your network design, including whether you have asymmetric routing.
    IPSec Tunnels
    IPSec tunnel configuration synchronization is dependent on whether you have configured the Virtual Addresses to use Floating IP addresses (DeviceHigh AvailabilityActive/Active ConfigVirtual Address). If you have configured a floating IP address, these settings sync automatically. Otherwise, you must configure these settings independently on each peer.
    GlobalProtect Portal Configuration
    GlobalProtect portal configuration synchronization is dependent on whether you have configured the Virtual Addresses to use Floating IP addresses (NetworkGlobalProtectPortals). If you have configured a floating IP address, the GlobalProtect portal configuration settings sync automatically. Otherwise, you must configure the portal settings independently on each peer.
    GlobalProtect Gateway Configuration
    GlobalProtect gateway configuration synchronization is dependent on whether you have configured the Virtual Addresses to use Floating IP addresses (NetworkGlobalProtectGateways). If you have configured a floating IP address, the GlobalProtect gateway configuration settings sync automatically. Otherwise, you must configure the gateway settings independently on each peer.
    QoS
    QoS configuration synchronizes only if you have enabled QoS Sync (DeviceHigh AvailabilityActive/Active ConfigPacket Forwarding). You might choose not to sync QoS setting if, for example, you have different bandwidth on each link or different latency through your service providers.
    LLDP
    No LLDP state or individual firewall data is synchronized in an active/active configuration (NetworkNetwork ProfilesLLDP).
    BFD
    No BFD configuration or BFD session data is synchronized in an active/active configuration (NetworkNetwork ProfilesBFD Profile).
    IKE Gateways
    IKE gateway configuration synchronization is dependent on whether you have configured the Virtual Addresses to use floating IP addresses (NetworkIKE Gateways). If you have configured a floating IP address, the IKE gateway configuration settings sync automatically. Otherwise, you must configure the IKE gateway settings independently on each peer.
    Master Key
    The master key must be identical on each firewall in the HA pair, but you must manually enter it on each firewall (DeviceMaster Key and Diagnostics).
    Before changing the master key, you must disable config sync on both peers (DeviceHigh AvailabilityGeneralSetup and clear the Enable Config Sync check box) and then re-enable it after you change the keys.
    Reports, logs, and Dashboard Settings
    Log data, reports, and dashboard data and settings (column display, widgets) are not synced between peers. Report configuration settings, however, are synced.
    HA settings
    • DeviceHigh Availability
    • (The exception is DeviceHigh AvailabilityActive/Active ConfigurationVirtual Addresses, which do sync.)
    Rule Usage Data
    Rule usage data, such as hit count, Created, and Modified Dates, are not synced between peers. You need to log in to the each firewall to view the policy rule hit count data for each firewall or use Panorama to view information on the HA firewall peers.
    Certificates for Device Management and Syslog Communication over SSL only
    DeviceCertificate ManagementCertificates
    Certificates used for device management or for syslog communication over SSL don’t synchronize with an HA peer.
    Certificates in a Certificate Profile
    DeviceCertificate ManagementCertificate Profile
    SSL/TLS Service Profile for Device Management only
    DeviceCertificate ManagementSSL/TLS Service Profile
    SSL/TLS Service Profile for Device Management doesn’t synchronize with an HA peer.
    Device-ID and IoT Security
    IP address-to-device mappings and policy rule recommendations don’t synchronize with an HA peer.

    © 2025 Palo Alto Networks, Inc. All rights reserved.