Unable to commit anything to Panorama via Terraform after PAN-OS upgrade to 10.1.5-h1.

morahman — Thu, 28 Apr 2022 23:06:12 GMT

Below is the error is from attempting to keep the value to the "hip_profiles" argument as "any" in the secuirty policy rule-set.

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
~ update in-place

Terraform will perform the following actions:

# module.FW_TSA.module.FW_Security_Policies.panos_panorama_security_policy.TSA_FIREWALL_POLICIES will be updated in-place
~ resource "panos_panorama_security_policy" "TSA_FIREWALL_POLICIES" {
id = "TSA_DeviceGroup:pre-rulebase"
# (2 unchanged attributes hidden)

~ rule {
~ hip_profiles = [
+ "any",
]
name = "DENY_OUTSIDE_TO_OUTSIDE_GEO_BLOCK"
tags = []
# (21 unchanged attributes hidden)
}
~ rule {
~ hip_profiles = [
+ "any",
]
name = "ALLOW_OUTSIDE_TO_OUTSIDE_GP"
tags = []
# (21 unchanged attributes hidden)
}
~ rule {
~ hip_profiles = [
+ "any",
]
name = "ALLOW_DHS_ONENET_TO_OUTSIDE_GP"
tags = []
# (21 unchanged attributes hidden)
}
~ rule {
~ hip_profiles = [
+ "any",
]
name = "DENY_RFC1918_OUTSIDE"
tags = []
# (21 unchanged attributes hidden)
}
~ rule {
~ hip_profiles = [
+ "any",
]
name = "DENY_ANY_TO_OUTSIDE_ICMP"
tags = []
# (21 unchanged attributes hidden)
}
~ rule {
~ hip_profiles = [
+ "any",
]
name = "ALLOW_INSIDE_TO_DC_SERVICES"
tags = []
# (21 unchanged attributes hidden)
}
~ rule {
~ hip_profiles = [
+ "any",
]
name = "OUTSIDE_TO_TSA_WEST_ADMIN_TOOLS"
tags = []
# (21 unchanged attributes hidden)
}
~ rule {
~ hip_profiles = [
+ "any",
]
name = "ALLOW_OUTSIDE_TO_OUTSIDE_IPSEC"
tags = []
# (21 unchanged attributes hidden)
}
~ rule {
~ hip_profiles = [
+ "any",
]
name = "ALLOW_TUNNEL_TO_TUNNEL_IPSEC"
tags = []
# (21 unchanged attributes hidden)

Plan: 0 to add, 1 to change, 0 to destroy.

Warning: Version constraints inside provider configuration blocks are deprecated

on provider.tf line 20, in provider "aws":
20: version = "~> 3.0"

Terraform 0.13 and earlier allowed provider version constraints inside the
provider configuration block, but that is now deprecated and will be removed
in a future version of Terraform. To silence this warning, move the provider
version constraint into the required_providers block.

Do you want to perform these actions?
Terraform will perform the actions described above.
Only 'yes' will be accepted to approve.

Enter a value: yes

module.FW_TSA.module.FW_Security_Policies.panos_panorama_security_policy.TSA_FIREWALL_POLICIES: Modifying... [id=TSA_DeviceGroup:pre-rulebase]

Error: The request could not be handled

on FW_TSA/FW_SecPolicies/Sec_Policies.tf line 5, in resource "panos_panorama_security_policy" "TSA_FIREWALL_POLICIES":
5: resource "panos_panorama_security_policy" "TSA_FIREWALL_POLICIES" {

Re: Unable to commit anything to Panorama via Terraform after PAN-OS upgrade to 10.1.5-h1.

morahman — Thu, 28 Apr 2022 23:06:53 GMT

Error: The request could not be handled

Re: Unable to commit anything to Panorama via Terraform after PAN-OS upgrade to 10.1.5-h1.

SimonT — Wed, 06 Jul 2022 06:48:20 GMT

I know this is an old thread but this is issue with the new version (same in 10.1.6). Solved by loading existing running config which ignores newly erroneous config, see https://live.paloaltonetworks.com/t5/general-topics/error-in-commit-after-upgrade-to-10-1-5-h1/td-p/479745

topic Re: Unable to commit anything to Panorama via Terraform after PAN-OS upgrade to 10.1.5-h1. in Automation/API Discussions

Unable to commit anything to Panorama via Terraform after PAN-OS upgrade to 10.1.5-h1.

Re: Unable to commit anything to Panorama via Terraform after PAN-OS upgrade to 10.1.5-h1.

Re: Unable to commit anything to Panorama via Terraform after PAN-OS upgrade to 10.1.5-h1.