Setup Prerequisites for the Panorama Virtual Appliance. 1. Perform Initial Configuration of the Panorama Virtual Appliance; Set Up The Panorama Virtual Appliance as a Log Collector; Go to one of the firewalls dashboard tab, make sure the HA widget is present. VSX-SYNC: Configuration is not synchronized. I'm at a loss. A manual sync was not working, nor did a reboot of both devices (sequentially) help. The only issue I could see in red was the running configuration on this local Panorama is not synchronized with the Passive peer, so I went ahead and fixed that by clicking the "Sync to peer" For whatever reason, I had a Palo Alto Networks cluster that was not able to sync. I've looked in tasks and see nothing unusual. You can view this list using the chronyc command: chronyc sources -v. Also, check the system file in which NTP servers are updated. Install Panorama on an ESXi Server. you will need to verify the configuration between the firewalls and decide which one is the one you need to keep: We can view a list of trusted ntp servers that the chronyd is using to sync the system-time. I'm adding a new static route in the primary node. Check to Synch to HA Peer. I've looked at the running config vs the peer running config and only see what shouldn't sync as differences. . For example, if we change anything on the firewall (for example, add a loopback) that was . >request high-availability sync-to-remote running-config . Install the Panorama Virtual Appliance. For some reason one day they stopped synchronizing configuration changes. Install Panorama on vCloud Air. So you may want to focus on the rest of the output from the config audit - on the configuration that is synchronized between member and will sync if you run "sync to peer". Finally, the PAN support told me to "Export device state" on the active unit, import it on the passive one, do some changes, and commit. In Panorama, I add the HA Firewalls serial number to Panorama and generate an auth key ready to paste into the firewalls Panorama management settings and commit to Panorama. You'll see a "sync to peer" option if it's out of sync. We have 2 core switch running in vsx cluster mode. We have 2 core switch running in vsx cluster mode. VSX-SYNC: Configuration is not synchronized. The "show startup-config" command will show the NVRAM startup configuration. Presented by: Nick Travis SLED SEIn this video, we provide a demo of how to take a firewall from an existing config and importing that into Panorama, so it c. so Go to 654-3805 which is my Latest Update also you can See in the lower of screen (Check Update) Then Press Install on Right Side of the Application. This caused the cluster to not want to commit new changes. You can verify if the Agent is running with: $ /etc/init.d/p9agent status. As per my understanding this new static route should be synchronized to secondary node routing configuration. 5 yr. ago CNSE. I can't seem to get the running config to sync with peer no matter what I try. 02-25-2019 01:17 AM. During boot of the computer the Panorama9 Agent for Linux will automatically start. If one of the HA devices finishes the Commit job faster than the HA peer and local config gets changed due to this commit, a device will try to initiate HA sync job to the peer. I have two Palo Alto firewalls in an high-availability cluster. Upload the Panorama Virtual Appliance Image to Alibaba Cloud . Palo Alto HA Config Sync Status. However, the configs show synchronized under the high availability widget. This is done by running the following command: timedatectl set-ntp yes. The Panorama IP will sync across to the passive firewall. If you edit the configuration files you must restart the Agent before the changes are used. Keep firewall rules consistent across your network. However, the peer is still . Lets Check the Version of the Application First. Monitor Panorama. I Set the Panorama IP address on the Active firewall and paste the auth key into the box and click ok and commit. Dynamic updates simplify administration and improve your security posture. IOS Procedure: With online editing, the "show running-config" command will only show the current running configuration settings, which are different from the IOS defaults. 1. Panorama System and Configuration Logs. We can see that this local Panorama is the primary-active device and the passive peer is 10.10.3.22 (EVE-PAN02). Go to Device - Dynamic updates - and Check the Applications and threats. Monitor Panorama and Log Collector Statistics Using SNMP. To force the Agent to stop: And I assume if there had been a real need to fail-over there would have been other service issues. I'm adding a new static route in the primary node. 1. press Continue Installation. You could force a config sync as well. Panorama manages network security with a single security rule base for firewalls, threat prevention, URL filtering, application awareness, user identification, sandboxing, file blocking, access control and data filtering. Code 9.0.10 active/passive pair. Commit all and Push from Panorama with "merge with device candidate config" is set to yes or "force template values" box checked; Cause. Support for VMware Tools on the Panorama Virtual Appliance. As per my understanding this new static route should be synchronized to secondary node routing configuration. Even the above command will not make the Panorama pushed config on the active node get synchronized with the passive. Set Up Panorama on Alibaba Cloud. Review the running and boot configurations to determine if they are synchronized. To restart the Agent do: $ sudo /etc/init.d/p9agent restart. Configure the Run Time for Panorama Reports. A little more . VSX-SYNC: Configuration is not synchronized. Install Panorama on VMware. Indeed, this fixed it. VSX-SYNC: Configuration is not synchronized.