The Panorama HA peers synchronize the running configuration each time you commit changes on the active Panorama peer. The candidate configuration is synchronized between the peers each time you save the configuration on the active peer or just before a failover occurs.
Settings that are common across the pair, such as shared objects and policy rules, device group objects and rules, template configuration, certificates and SSL/TLS service profiles, and administrative access configuration, are synchronized between the Panorama HA peers.
The settings that are not synchronized are those that are unique to each peer, such as the following:
Panorama HA configuration—Priority setting, peer IP address, path monitoring groups and IP addresses
Panorama configuration—Management port IP address, FQDN settings, login banner, NTP server, time zone, geographic location, DNS server, permitted IP addresses for accessing Panorama, Simple Network Management Protocol (SNMP) system settings, and dynamic content update schedules
Scheduled configuration exports
NFS partition configuration and all disk quota allocation for logging
Disk quota allocation for the different types of logs and databases on the Panorama local storage (SSD)
If you use a master key to encrypt the private keys and certificates on Panorama, you must use the same master key on both HA peers. If the master keys differ, Panorama cannot synchronize the HA peers.