Synchronization of System Runtime Information

The following table summarizes what system runtime information is synchronized between HA peers.
Runtime Information
Config Synced?
HA Link
Details
A/P
A/A
Management Plane
User to Group Mappings
Yes
Yes
HA1
User to IP Address Mappings
Yes
Yes
HA1
DHCP Lease (as server)
Yes
Yes
HA1
If the PAN-OS versions on the HA peers don’t match, the DHCP Lease (as server) config information won’t sync.
DNS Cache
No
No
N/A
FQDN Refresh
No
No
N/A
IKE Keys (phase 2)
Yes
Yes
HA1
BrightCloud URL Database
No
No
N/A
BrightCloud URL Cache
No
No
N/A
This feature is disabled by default and must be enabled separately on each HA peer.
BrightCloud Bloom Filter
No
No
N/A
This feature is disabled by default and must be enabled separately on each HA peer.
PAN-DB URL Cache
Yes
No
HA1
This is synchronized upon database backup to disk (every eight hours, when URL database version updates), or when the firewall reboots.
Content (manual sync)
Yes
Yes
HA1
PPPoE, PPPoE Lease
Yes
Yes
HA1
DHCP Client Settings and Lease
Yes
Yes
HA1
If the PAN-OS versions on the HA peers don’t match, the DHCP Client Settings and Lease config information won’t sync.
SSL VPN Logged in User List
Yes
Yes
HA1
Forward Information Base (FIB)
Yes
Yes
HA1
Dataplane
Session Table
Yes
Yes
HA2
  • Active/passive peers do not sync ICMP or host session information.
  • Active/active peers do not sync host session, multicast session, or BFD session information.
ARP Table
Yes
No
HA2
Upon upgrade to PAN-OS 7.1, the ARP table capacity automatically increases. To avoid a mismatch, upgrade both peers within a short period of time.
As a best practice, clear the ARP cache (clear arp) on both peers prior to upgrading to PAN-OS 7.1.
Neighbor Discovery (ND) Table
Yes
No
HA2
MAC Table
Yes
No
HA2
IPSec Sequence Number (anti-replay)
Yes
Yes
HA2
DoS Block List Entries
No
No
N/A
Virtual MAC
Yes
Yes
HA2
SCTP Associations
Yes
No
HA2

Related Documentation