Panorama fails to commit device group to new firewalls

GrantCampbell4 — Thu, 22 Jun 2023 15:34:46 GMT

Hello,

We are running 10.1.9-h1 Panorama server that manages multiple PA firewalls.

We have imported a new HA pair of PA-450s and a new HA pair of PA-3220 firewalls

The PA-3220 firewalls are in a template and device group configuration and when committing to the firewalls from Panorama to the PA-3220s for the first time, the template pushes fine but the device group commit fails.

. Validation Error:
. rulebase -> security -> rules -> <<omitted ref>>inbound blocks -> source 'DN' is not an allowed keyword
. rulebase -> security -> rules -> <<omitted ref>>inbound blocks -> source DN is an invalid ipv4/v6 address
. rulebase -> security -> rules -> <<omitted ref>>inbound blocks -> source DN range separator('-') not found
. rulebase -> security -> rules -> <<omitted ref>>inbound blocks -> source 'DN' is not a valid reference
. rulebase -> security -> rules -> <<omitted ref>>inbound blocks -> source 'LN' is not an allowed keyword
. rulebase -> security -> rules -> <<omitted ref>>inbound blocks -> source LN is an invalid ipv4/v6 address
. rulebase -> security -> rules -> <<omitted ref>>inbound blocks -> source LN range separator('-') not found
. rulebase -> security -> rules -> <<omitted ref>>inbound blocks -> source 'LN' is not a valid reference
. rulebase -> security -> rules -> <<omitted ref>>inbound blocks -> source is invalid
. rulebase -> security -> rules -> <<omitted ref>>outbound blocks-1 -> destination 'DN' is not an allowed keyword
. rulebase -> security -> rules -> <<omitted ref>>outbound blocks-1 -> destination DN is an invalid ipv4/v6 address
. rulebase -> security -> rules -> <<omitted ref>>outbound blocks-1 -> destination DN range separator('-') not found
. rulebase -> security -> rules -> <<omitted ref>>outbound blocks-1 -> destination 'DN' is not a valid reference
. rulebase -> security -> rules -> <<omitted ref>>outbound blocks-1 -> destination 'LN' is not an allowed keyword
. rulebase -> security -> rules -> <<omitted ref>>outbound blocks-1 -> destination LN is an invalid ipv4/v6 address
. rulebase -> security -> rules -> <<omitted ref>>outbound blocks-1 -> destination LN range separator('-') not found
. rulebase -> security -> rules -> <<omitted ref>>outbound blocks-1 -> destination 'LN' is not a valid reference
. rulebase -> security -> rules -> <<omitted ref>>outbound blocks-1 -> destination is invalid
. rulebase -> security -> rules is invalid
. rulebase -> security is invalid
. rulebase is invalid
. vsys is invalid
. devices is invalid
. vsys1
. Error: Failed to find address 'DN'
. Error: Unknown address 'DN'
. Error: Failed to parse security policy
. (Module: device)
. client device phase 1 failure
. Configuration is invalid

The PA-450s were imported the same way but have not suffered this fate.

Any assistance as to why and how to fix this is appreciated.

Re: Panorama fails to commit device group to new firewalls

aleksandar.astardzhiev — Sun, 25 Jun 2023 08:00:06 GMT

Hi @GrantCampbell4 ,

As mentioned at the bottom of this link DN and LN regions were added recently - https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFFCA0

So it looks like your PA-3220 firewall does not use the latest dynamic package updates compared to the Panorama and PA-450.

First step would be to "check now" and install the latest dynamic content packages on the firewalls and try again to push config from Panorama.

topic Re: Panorama fails to commit device group to new firewalls in Panorama Discussions

Panorama fails to commit device group to new firewalls

Re: Panorama fails to commit device group to new firewalls