We had a client who had their NAT policies targeted to one member of an Active/Passive HA cluster --- for some reason. And we did not notice this until we failed over and the network stopped working.
The config showed as in sync between the two peers.
I've checked and cannot find documentation that these settings wouldn't sync.
Reference: HA Synchronization (paloaltonetworks.com)
Am I missing something?
Hi Squeaker,
It is strange , are the active/passive managed by a Panorama.
The reason why i ask panorama pushes the config to the managed device and sync between panorama and managed devices. If managed by a panorama maybe check that thier is no local config on the passive firewall in a commit proccess and when the NAT rule was created it showed successful on Panorama but was not pushed throught the Passive device.
Also check the config audit between passive and active.
Thanks