The Panorama HA peers synchronize the running configuration
each time you commit changes on the active Panorama peer. The candidate
configuration is synchronized between the peers each time you save
the configuration on the active peer or just before a failover occurs.
Settings that are common across the pair, such as shared objects
and policy rules, device group objects and rules, template configuration,
certificates and SSL/TLS service profiles, and administrative access
configuration, are synchronized between the Panorama HA peers.
When you Enable Automated Commit Recovery, HA synchronization
occurs only after the firewall successfully tests the connection
between itself and Panorama after a push from Panorama.
The settings that are not synchronized are those that are unique
to each peer, such as the following:
Panorama HA configuration—Priority setting, peer IP address,
path monitoring groups and IP addresses
Panorama configuration—Management interface IP address, FQDN
settings, login banner, NTP server, time zone, geographic location,
DNS server, permitted IP addresses for accessing Panorama, SNMP
system settings, and dynamic content update schedules
Scheduled configuration exports
NFS partition configuration and all disk quota allocation
for logging. This applies only to a Panorama virtual appliance in
Legacy mode that runs on a VMware ESXi server.
Disk quota allocation for the different types of logs and
databases on the Panorama local storage (SSD)
use a master key to encrypt the private keys and certificates on
Panorama, you must use the same master key on both HA peers. If
the master keys differ, Panorama cannot synchronize the HA peers.