topic Disabled rules on Panorama being pushed to firewall in Panorama Discussions

Disabled rules on Panorama being pushed to firewall

SCH-Gaurav — Mon, 12 Feb 2024 08:24:32 GMT

Hi All,

I had a very strange behavior recently on panorama. Disabled rules don't go to firewalls when a push is performed from Panorama, but I had a disabled rule on panorama which got pushed to firewalls. Please find below events in the order they appeared.

1. I had disabled a Security Rule and 2 PBF rules on Panorama and pushed the config to firewalls. It was pushed successfully, and I couldn't see disabled rules on the local firewall, which is expected behavior.

2. I had to configure a security rule on same Device Group to allow some traffic and it was pushed successfully onto the local firewall.

3. When I checked the local firewall after the last push, I found that along with the new rule, the disabled rule and 2 PBFs were also pushed, but when I checked back on Panorama, they were still showing disabled and there were no pending changes to commit.

If anybody has come across such behavior or know anything about it, your help will be much appreciated.

Re: Disabled rules on Panorama being pushed to firewall

JayGolf — Tue, 13 Feb 2024 22:22:32 GMT

Hi @SCH-Gaurav ,

I haven't encountered this in the past, but if you enable and disable the appropriate policies in Panorama and then push them out, do they still appear on the managed firewall?

Re: Disabled rules on Panorama being pushed to firewall

PavelK — Tue, 13 Feb 2024 23:56:34 GMT

Hello @SCH-Gaurav

could you confirm what PAN-OS version you are running on Panorama? If you are running PAN-OS 10.2, you might be running into bugs addressed in PAN-OS 10.2.8:

PAN-240197
Fixed an issue where configuration changes made in Panorama and pushed to the firewall weren’t reflected on the firewall.

PAN-208438
Fixed an issue on Panorama where Security policy rules incorrectly displayed as disabled.

Kind Regards

Pavel