topic Re: Trouble after upgrading to 4.1 in General Topics

Trouble after upgrading to 4.1

saint-paul — Wed, 16 Nov 2011 10:10:55 GMT

I was currently running 4.0.5 on panorama and HA active passive 2050 cluster.

The upgrade ran rather smoothly.

has something changed for service declaration in 4.1?

I define my addresses and custom services on the panorama which I sync to the HA cluster members after committing on the panorama.

My policies are defined on the first cluster member which are automatically HA-synced to the second member of the cluster.

I now wanted to add a a new service, so I did as always and created a new service declaration on panorama and committed it.

After that operation a cluster showed out of sync as it always does after comitting on the panorama.

When I now click on commit all for the cluster members in panorama I get a error message:

rulebase -> security -> rules -> External Web access -> service 'sp_8080' is not an allowed keyword.

When I remove this service from this policy I get the same error but in the next policy rule which also contains a custom service.

Commiting on the device also works.

What can I do?

Re: Trouble after upgrading to 4.1

saint-paul — Wed, 16 Nov 2011 15:03:35 GMT

I did some more testing.

I removed all custom services from my policies (luckily the firewall is still in setup phase)

after that I got the same problem with the certificate of the captive portal and Web gui certificate. So I also delted those and now I can finally "commit all" to the devices from panorama.

But as soon as I add a custom service defined on the panorama to a policy I get the error as mentioned above.

I can also commit when i create the service in the device context and add it to a Rule.

So do I need to recreate all my services on the device context now and use those?

Strangely I have no Problem with my addresses in the rules which I also created in the panorama context.

Re: Trouble after upgrading to 4.1

mschuricht — Wed, 16 Nov 2011 17:48:08 GMT

Is your setup running 4.0.5 on the managed firewalls and 4.1.0 on Panorama?

If this is the case then you should open a case with support.

Re: Trouble after upgrading to 4.1

saint-paul — Thu, 17 Nov 2011 07:29:47 GMT

No, everything is running on 4.1

Re: Trouble after upgrading to 4.1

mschuricht — Fri, 18 Nov 2011 02:52:15 GMT

Please open a support case so we can investigate the issue. It sounds like a bug.

Re: Trouble after upgrading to 4.1

saint-paul — Wed, 23 Nov 2011 08:38:07 GMT

Edit:

I must have done something wrong yesterday, because today I noted that it doesn't work..

Still get the mesage when commiting to "managed devices.

vsys -> vsys1 -> rulebase -> security -> rules -> External Web access -> service 'test' is not an allowed keyword
vsys -> vsys1 -> rulebase -> security -> rules -> External Web access -> service 'test' is not a valid reference

/Edit:

Hi,

I think I solved the problem.

I noted a problem while creating new tunnel interfaces, those interfaces where grey while pre update created interfaces where green.

I then noted that only the new interfaces had vsys1 next to them.

So I activated the virtual system feature on the devices. After this I had the reassign security zones and vsys to all interfaces.

I also had to maunally remove global protect entries from the config xml as I could not get the error message away via the web gui.