Last Modified: Apr 10, 2019
See more info
Known Affected Versions:
12.0.0, 12.0.0 HF1, 12.0.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2, 12.1.3, 22.214.171.124, 126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11, 18.104.22.168, 22.214.171.124, 12.1.4, 126.96.36.199, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1
Opened: Jan 15, 2015
With a large firewall policy, one device in the device group might compile the policy successfully, while another device might fail to compile. The same is true with a cluster.
PCCD becomes out of sync between devices in the device group or between cards in the cluster. This might cause subsequent HA sync failures. Disabling on-demand-rule-deploy might cause one of the devices/cards to automatically deploy the the policy. In this case the user could end up with mismatched firewall policies enforced on different devices/cards.
This occurs with a large firewall policy and heavy use of FQDNs.
Modifying the firewall policy and recompiling re-syncs PCCD.