13/06/2018 Live Community - Information Synchronized in an HA Pair - Live Community

PALO ALTO NETWORKS HOME (HTTPS://WWW.PALOALTONETWORKS.COM/) CUSTOMER SUPPORT (HTTPS://SUPPORT.PALOALTONETWORKS.COM

(/)

Support Info (/t5/custom/page/page-id/Support)

Register (https://live.paloaltonetworks.com/t5/custom/page/page-id/Register?referer=https%3A%2F%2Flive.paloaltonetworks.com%2Ft5%2FLearning-

Articles%2FInformation-Synchronized-in-an-HA-Pair%2Fta-p%2F57292)

Sign In (https://live.paloaltonetworks.com/twzvq79624/plugins/common/feature/saml/doauth/post?referer=https%3A%2F%2Flive.paloaltonetworks.com%2Ft5%2FLearning-

Articles%2FInformation-Synchronized-in-an-HA-Pair%2Fta-p%2F57292)

FAQs (/t5/help/faqpage)

Features  Discussions  Knowledge Base 

(https://live.paloaltonetworks.com/t5/Features/ct-p/Features) (https://live.paloaltonetworks.com/t5/Knowledge-Base/ct-p/Topics)

Tools 
(https://live.paloaltonetworks.com/t5/Tools/ct-p/Tools)

Live (/) > Knowledge Base (/t5/Knowledge‑Base/ct‑p/Topics) > Next‑Genera on Firewall (/t5/Next‑Genera on‑Firewall/ct‑p/Firewall_Ar cles) >

Learning Ar cles (/t5/Learning‑Ar cles/tkb‑p/learning_tkb) >

Learning Ar cles (/t5/Learning‑Ar cles/tkb‑p/learning_tkb)

Community Search

Information Synchronized in an HA Pair

by Ameya-Kawimandan (/t5/user/viewpro lepage/user-id/26535) on 11-14-2012 09:41 PM (32,590 Views)

Labels: High Availability (/t5/Learning-Articles/tkb-p/learning_tkb/label-name/high%20availability?labels=high+availability),

Learning (/t5/Learning-Articles/tkb-p/learning_tkb/label-name/learning?labels=learning)

(https://ignite.paloaltonetworks.c
Overview
This document explains the information synchronized between High Availability (HA) pair members and applies to Active-Passive and
Active-Active deployments.
Details
Control Plane Synchronization Over HA1 link
Con guration: Con guration changes to either active or passive unit are synchronized to peer device
Tabs Synchronized: Policy, Objects and Network
All certi cates sync except Web Certi cate
(/t5/custom/page/page-id/Regist
Dataplane Synchronization over HA2 Link
Session states
IPSec SAs Labels
MAC Tables
Neighbor Discovery Table App-ID
(https://live.paloaltonetworks.com/t
IPv(4/6) return MAC
Authentication
HA2 Monitor Message (https://live.paloaltonetworks.com/t
ARP tables
Certi cates
(https://live.paloaltonetworks.com/t
Verify what gets synchronized over HA2 link using the command below:
> show high­availability state­synchronization Cloud
(https://live.paloaltonetworks.com/t
Objects Not Synchronized
Con guration
Under Network, interface-speci c parameters (such as, link speed and link duplex) are not synchronized (https://live.paloaltonetworks.com/t
Application Command Center (ACC) and log data is not synchronized
Decryption
Web Certi cates (https://live.paloaltonetworks.com/t
Log Link con guration is not synchronized between HA. (See: How Does the Log Link Feature Work? (/docs/DOC-1350))
Endpoint
(https://live.paloaltonetworks.com/t
Note: Device > Objects under the Device Tab are synchronized selectively. Refer to High Availability Synchronization (/docs/DOC-
5086) for the complete list of objects that are synchronized. GlobalProtect
(https://live.paloaltonetworks.com/t
CLI commands to perform a commit sync manually
Hardware
Synchronize Running Con guration (https://live.paloaltonetworks.com/t
>request high­availability sync­to­remote running­config
High Availability
Force the system to synchronize objects that are not saved as part of the system con guration, for example custom block and (https://live.paloaltonetworks.com/t
logon pages. This process operates over the HA control link Integration
>request high­availability sync­to­remote disk­state (https://live.paloaltonetworks.com/t

Learning
(https://live.paloaltonetworks.com/t
https://live.paloaltonetworks.com/t5/Learning-Articles/Information-Synchronized-in-an-HA-Pair/ta-p/57292 1/3
13/06/2018 Live Community - Information Synchronized in an HA Pair - Live Community
Manually sync the runtime session state. This is normally automatically done, but if needed this command can be executed to
Logs
force the synchronization of the session table (https://live.paloaltonetworks.com/t
>request high­availability sync­to­remote runtime­state Management
(https://live.paloaltonetworks.com/t
See Also NAT
High Availability Synchronization (/docs/DOC-5086). (https://live.paloaltonetworks.com/t
owner: akawimandan Network
(https://live.paloaltonetworks.com/t

Everyone's Tags: Objects & Security Pro les

(https://live.paloaltonetworks.com/t
active_passive (/t5/tag/active_passive/tg-p/board-id/learning_tkb) doc-4175 (/t5/tag/doc-4175/tg-p/board-id/learning_tkb)
ha (/t5/tag/ha/tg-p/board-id/learning_tkb) ha_sync (/t5/tag/ha_sync/tg-p/board-id/learning_tkb) PAN-OS 8.1
(https://live.paloaltonetworks.com/t
high_availability (/t5/tag/high_availability/tg-p/board-id/learning_tkb)
View All (11) Panorama
(https://live.paloaltonetworks.com/t
2 (/t5/kudos/messagepage/board-id/learning_tkb/message-id/229/tab/all-users) Policies
(https://live.paloaltonetworks.com/t

Next 

Article Options (https://live.paloaltonetworks.co

Hide Comments Articles/Information-Synchroniz

Pair/ta-p/57292/page/2/show-c
Comments

by breakaway (/t5/user/viewpro lepage/user-id/6881)

on 07-09-2015 07:07 PM
Contributors
This document states that 'interface-speci c parameters (such as, link speed and link duplex) are not synchronized', but I see that
interface comments are synchronized (we are running 6.1.4).
Interface comments can be very speci c and I believe should not be synchronized.
Would this need to be changed with a feature request?
Thanks!
(/t5/user/viewpro lepage/user-
id/26535)
Permalink (/t5/Learning-Articles/Information-Synchronized-in-an-HA-Pair/tac-
2 (/t5/kudos/messagepage/board-id/learning_tkb/message-id/230/tab/all-users) Ameya-Kawimandan
(/t5/user/viewpro lepage/user-
p/57293#M230) id/26535)

by KiCheon.Lee (/t5/user/viewpro lepage/user-id/13354)

on 08-05-2015 11:07 PM

I wonder to sync user-ip and group-member manually. Recommendations

request high­availability sync­to­remote runtime­state
Does the above cli command include to sync user-ip and group-member force or only session table? High Availability
What is the below command? Synchronization (/t5/Tech-
request high-availability sync-to-remote id-manager user-id Note-Articles/High-Availability-
Please let me know them. Synchronization/ta-p/61190)
Thanks,
KC Lee Running Con g Not
Synchronized after
Upgrading On...
Permalink (/t5/Learning-Articles/Information-Synchronized-in-an-HA-Pair/tac- 0 (/t5/Management-
Articles/Running-Con g-Not-
p/57294#M231)
Synchronized-after-Upgrading-
One-Peer-in-HA/ta-p/65066)

HA pair is not synchronizing

(/t5/Management-
Articles/HA-pair-is-not-
synchronizing/ta-p/54282)

Re: How to Upgrade a High

Availability (HA) Pair
(/t5/Management-Articles/How
to-upgrade-a-High-Availability-
HA-pair/ta-p/57081)

Important information on
VPNFilter Attacks
(/t5/Threat-Vulnerability-
Articles/Important-information-
on-VPNFilter-Attacks/ta-
p/215123)

In an Active/Passive HA Pair
are Existing Session...
(/t5/Learning-Articles/In-an-
Active-Passive-HA-Pair-are-

https://live.paloaltonetworks.com/t5/Learning-Articles/Information-Synchronized-in-an-HA-Pair/ta-p/57292 2/3
13/06/2018 Live Community - Information Synchronized in an HA Pair - Live Community
Latest Blogs
(http://www.paloaltonetworks.com) As everyone is getting ready to watch the
World Cup, so should security admins
(https://live.paloaltonetworks.com/t5/Comm
unity-Blog/As-everyone-is-getting-ready-to-
watch-the-World-Cup-so-should/ba-
p/217722)
The World Cup is upon us, and while it b...
New App-IDs for June are ready!
(https://live.paloaltonetworks.com/t5/Comm
unity-Blog/New-App-IDs-for-June-are-
ready/ba-p/217639)
New App-IDs for June are ready. Click to...
Palo Alto Networks SuperFan Program
(https://live.paloaltonetworks.com/t5/Comm
unity-Blog/Palo-Alto-Networks-SuperFan-
Program/ba-p/217621)
A membership with super-sized bene ts J...
Copyright 2007 - 2018 - Palo Alto Networks Privacy Policy (https://www.paloaltonetworks.com/legal/privacy.html)
https://live.paloaltonetworks.com/t5/Learning-Articles/Information-Synchronized-in-an-HA-Pair/ta-p/57292
Existing-Sessions-Sync-ed-
When/ta-p/58312)
DotW: Blocked traf c has an
allow log (/t5/Featured-
Articles/DotW-Blocked-traf c-
has-an-allow-log/ta-p/72357)
Events Connect
Ignite: What else is in it for me?
(https://live.paloaltonetworks.com/t5/Ignite-
Blog/Ignite-What-else-is-in-it-for-me/ba-   
(https://twitter.com/PALiveCommu
(https://www.youtube.c
(http://www
p/212853)
Ignite. So you get to learn from the exp...

Ignite: What's in it for me? (https://www.linkedin.com/compan
(https://live.paloaltonetworks.com/t5/Ignite- alto- 
Blog/Ignite-What-s-in-it-for-me/ba- networks) (https://www.facebook.
p/213292)
Ignite. What's all the fuss? You've got ...
We get by with a little help from our friends
(https://live.paloaltonetworks.com/t5/Ignite-
Blog/We-get-by-with-a-little-help-from-our-
friends/ba-p/212142)
Hey, other than you, who are the geniuse...
Terms of Use (/t5/user/UserTermsOfServicePage)
(https://www.lithium.com/powered-by-lithium
3/3