topic Re: Server error : Partial commit is not allowed. Full commit must be completed. in General Topics

Server error : Partial commit is not allowed. Full commit must be completed.

hgiguelay — Mon, 21 Aug 2017 15:22:07 GMT

Palo version:

vm-license: VM-100
vm-mode: VMWare ESXi
sw-version: 8.0.4

I am trying to do a partial commit after a change on policy rules.

The following commands usually work. But for some reason, I ended in a state where partial commit/validate is not allowed:

admin@CST-OCBFW-INT01(active)# validate partial device-and-network excluded

Server error : Partial validate is not allowed. Full commit must be completed.

[edit]                                                                                                                                             
admin@CST-OCBFW-INT01(active)# commit partial device-and-network excluded

Server error : Partial commit is not allowed. Full commit must be completed.

[edit]

The candidate config only has changes on security/rules which is part of the "policy-and-objects" config AFAIK.

What can be the cause of this state?

Can it be fixed so that I can issue a partial commit and avoid doing a seemingly useless full commit? Or does it mandatorily requires a full commit?

Re: Server error : Partial commit is not allowed. Full commit must be completed.

BPry — Mon, 21 Aug 2017 17:01:43 GMT

@hgiguelay,

Generally this would only appear if a security policy references something that falls within the device-and-network, as you are attempting to exclude that it wouldn't be able to validate or commit the config.

1) Verify nothing you have configured actually relies on anything within the device-and-network config

2) Something got loopy and you just need to do an actual full commit instead of a partial.

Re: Server error : Partial commit is not allowed. Full commit must be completed.

Remo — Mon, 21 Aug 2017 17:23:26 GMT

Or another admin changed something?

But I also think it's @BPrys possibility 2 (if you didn't create an EDL reachable over https, so that it requires a certificate profile; or a new log forwarding profile and you created the required serverprofile at the same time; and probably more possibilities ...)

Re: Server error : Partial commit is not allowed. Full commit must be completed.

hgiguelay — Tue, 22 Aug 2017 10:00:20 GMT

Thanx for your help!

I don't exactly remember what I did to reach this state, but I checked that only security/rules were changed in the GUI "commit/preview changes" and in the CLI:

root@cst-ocbvpn-int01:/# diff -u <(panxapi.py -xrs) <(panxapi.py -Xro 'show config candidate')
show: success
op: success
--- /dev/fd/63    2017-08-21 14:38:12.174880000 +0000
+++ /dev/fd/62    2017-08-21 14:38:12.174880000 +0000
@@ -1759,89 +1759,109 @@
             <security>
               <rules>
                 <entry name="tpl_deny_paloappdefault">
+                  <action>deny</action>
+                  <application>
+                    <member>any</member>
...
+                  </destination>
+                  <rule-type>interzone</rule-type>
                 </entry>
               </rules>
             </security>

So in the current state, I only have changes in "policy-and-objects".

Of course many of those policy changes "point" to device-and-config "objects" (log-forwarding, services, etc), but there are no changes in device-and-config in the diff.

Maybe I did some changes on device-and-config that made the Palo "flag" the next commit has needing to be full, and then reverted those changes prior to the commit.

Anyway, I'll try and reproduce and better track what were my actions.