Situation: After configuring third party certificate on a Palo Alto Firewall HA, the client has a problem to Synchronize HA Peer,
Resolution 1: Export Certificate from the Active unit and import it into the Passive unit. Go to Device>Certificate Management>Certificates. Highlight the certificate and click the Export Certificate.
Resolution 2: If you can’t sync and Peer unit has been changed for some reasons, you may want to Revert to last Saved confirmation on Perr unit.
Resolution 3: You can also Export named configuration snapshot on Active unit and import it on Passive unit.
PA Support sumery.
1. We discussed the issue, which is about the issue HA pair out of sync.
2. We checked that the passive firewall is out of sync.
3. We tried to sync but as it’s due to a certificate we could not sync it.
4. We exported the certificate from the active firewall using the passphrase.
5. We then imported the certificate into the passive firewall using the passphrase.
6. We then checked the firewall which was out of sync.
7. We then tried to sync but were not syncing.
8. We tried with management restart but could not sync again.
9. We then took the Active firewall running configuration.
10. We then imported and loaded the running configuration of the active firewall in passive.
11. We then did the commit after that we can see that the HA pair are in sync.
