Each Panorama peer in the HA pair is assigned a priority value.
The priority value of the primary or secondary peer determines which
will be eligible for being the main point of administration and
log management. The peer set as primary assumes the active state,
and the secondary becomes passive. The active peer handles all the
configuration changes and pushes them to the managed firewalls;
the passive peer cannot make any configuration changes or push configuration
to the managed firewalls. However, either peer can be used to run
reports or to perform log queries.
The passive peer is synchronized and ready to transition to the
active state if a path, link, system, or network failure occur on
the active Panorama.
When a failover occurs, only the state (active or passive) of
the Panorama peer changes; the priority (primary and secondary)
does not. For example, when the primary peer fails, its status changes
from active-primary to passive-primary.
A peer in the active-secondary state can perform all functions
with two exceptions:
It cannot manage firewall or Log Collector deployment
functions such as license updates or software upgrades.
It cannot log to an NFS until you manually change its priority
to primary. Only the Panorama virtual appliance in Legacy mode supports
The following table lists the capabilities of Panorama based
on its state and priority settings: