An administrator pushes a new configuration from Panorama to a pair of firewalls that are configured as an active/passive HA pair. Which NGFW receives the configuration from Panorama?
A.
The passive firewall, which then synchronizes to the active firewall
B.
The active firewall, which then synchronizes to the passive firewall
C.
Both the active and passive firewalls, which then synchronize with each other
D.
Both the active and passive firewalls independently, with no synchronization afterward
Most Voted
The correct answer is:
B. The active firewall, which then synchronizes to the passive firewall
Explanation:
When pushing a configuration from Panorama to a pair of firewalls configured in an active/passive High Availability (HA) pair, the following process occurs:
Panorama sends the configuration to the active firewall:
Panorama communicates directly with the active firewall in the HA pair and pushes the new configuration to it.
The active firewall synchronizes the configuration to the passive firewall:
After receiving the configuration, the active firewall automatically synchronizes the configuration to the passive firewall to ensure both devices have the same settings.
This approach ensures consistency between the active and passive firewalls and avoids configuration mismatches that could cause issues during failover.
I set up a lab with an HA pair, both devices received the configuration in their respective template stack and then, performed a commit. Because the values are the same, no synchronization is needed.
This has some info for migrating HA into Panorama:
https://docs.paloaltonetworks.com/panorama/10-1/panorama-admin/manage-firewalls/transition-a-firewall-to-panorama-management/migrate-a-firewall-ha-pair-to-panorama-management
Basically, Panorama configuration is not synced regardless of if the config sync box is checked. Only local configuration will be synchronized if the config sync box is checked.
The Correct answer here is C , both firewalls will receive the configuration and will need to sync what the configuration it is, may be an application , objects ,security policy . On panorama you will also see on the devices it will show they are in-sync or out of sync
no its D. although we always set up HA with sync enabled, its not a requirement for HA. so just HA without the "additional and optional" sync, will not sync.
Answer: D
sk suggests that Panorama policy is pushed to both units and no sync is performed per se. This means that any local policy would need to be synced separately
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CleOCAS
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
Mohammed
Highly Voted 4 years, 5 months agooo7
Highly Voted 4 years, 5 months agoNico1973
Most Recent 3 weeks agoscanossa
8 months agoMarshpillowz
8 months, 2 weeks agoevdw
1 year, 9 months agomyname_1
1 year, 9 months agolol12
1 year, 11 months agoashmeow
2 years, 1 month agomelek18
2 years, 2 months agoThatIT
2 years, 4 months agoking04
2 years, 7 months agor0ze
2 years, 12 months agouNburNed
3 years, 3 months agoBreyarg
2 years, 9 months agotheroghert
3 years, 7 months agoSarbi
3 years, 10 months agolol1000
3 years, 11 months ago