https://live.paloaltonetworks.com/t5/general-topics/panorama-commit-and-push-to-firewall-fails-with-error/m-p/324961#M82912 <P><SPAN>For the last few days, we have been trying to import firewalls into Panorama and have not been successful at it.</SPAN></P><P><SPAN>&nbsp;</SPAN></P><P><SPAN>Panorama firmware is&nbsp;</SPAN><SPAN>9.0.7</SPAN></P><P><SPAN>Palo Alto firmware: 8.1.13</SPAN></P><P><SPAN>&nbsp;</SPAN></P><P><SPAN>Description of issue: During the importing process, I was able to extract the configs from PA firewall onto the Panorama. However, when I tried to commit the configs back to PA firewall from Panorama. The commit would fail, and the reason for the failure is because there’s missing IP addresses in ‘Objects’.</SPAN></P><P>&nbsp;</P><P><SPAN>Following is the commit error</SPAN></P><P>&nbsp;</P><P><SPAN>rulebase -&gt; nat -&gt; rules -&gt; AESG-DNAT-P157-2 -&gt; destination 'Host_13.55.26.51-32' is not an allowed keyword</SPAN></P><P><SPAN>&nbsp;&nbsp;&nbsp; rulebase -&gt; nat -&gt; rules -&gt; AESG-DNAT-P157-2 -&gt; destination Host_13.55.26.51-32 is an invalid ipv4/v6 address</SPAN></P><P><SPAN>&nbsp;&nbsp;&nbsp; rulebase -&gt; nat -&gt; rules -&gt; AESG-DNAT-P157-2 -&gt; destination Host_13.55.26.51-32 invalid range start IP</SPAN></P><P><SPAN>&nbsp;&nbsp;&nbsp; rulebase -&gt; nat -&gt; rules -&gt; AESG-DNAT-P157-2 -&gt; destination 'Host_13.55.26.51-32' is not a valid reference</SPAN></P><P><SPAN>&nbsp;&nbsp;&nbsp; rulebase -&gt; nat -&gt; rules -&gt; AESG-DNAT-P157-2 -&gt; destination is invalid</SPAN></P><P>&nbsp;</P><P><SPAN>Error: Failed to find address 'Host_13.55.26.51-32'</SPAN></P><P><SPAN>&nbsp;&nbsp;&nbsp; Error: Unknown address 'Host_13.55.26.51-32'</SPAN></P><P><SPAN>&nbsp;&nbsp;&nbsp; Error: Failed to parse nat policy</SPAN></P><P><SPAN>&nbsp;&nbsp;&nbsp; (Module: device)</SPAN></P><P><SPAN>&nbsp;&nbsp;&nbsp; Config 'AGENT-CONFIG':</SPAN></P><P><SPAN>&nbsp;&nbsp;&nbsp; GlobalProtect App Dynamic Configuration misses information for 'show-system-tray-notifications'.</SPAN></P><P><SPAN>&nbsp;&nbsp;&nbsp; (Module: sslvpn)</SPAN></P><P><SPAN>&nbsp;&nbsp;&nbsp; Commit failed</SPAN></P><P>&nbsp;</P><P><SPAN>it seems like the problem is with the missing objects during the importing process. As an example, the total amount of addresses on the firewall is 490. However, we can only see 460 after the configs have been copied over from Panorama to the firewall.</SPAN></P><P>&nbsp;</P><P><SPAN>We have also tried adding&nbsp;&nbsp;Host_13.55.26.51-32' manually to panorama as a shared object but still cannot commit&nbsp;</SPAN></P><P>&nbsp;</P><P><SPAN>we did upgrade our Panorama firmware recently from 9.0.4 --- &gt; 9.0.7. And our firewall firmware from 8.0.13 -&gt; 8.1.13</SPAN></P> Mon, 27 Apr 2020 03:48:34 GMT Jatin.Singh 2020-04-27T03:48:34Z https://live.paloaltonetworks.com/t5/general-topics/panorama-commit-and-push-to-firewall-fails-with-error/m-p/324961#M82912 <P><SPAN>For the last few days, we have been trying to import firewalls into Panorama and have not been successful at it.</SPAN></P><P><SPAN>&nbsp;</SPAN></P><P><SPAN>Panorama firmware is&nbsp;</SPAN><SPAN>9.0.7</SPAN></P><P><SPAN>Palo Alto firmware: 8.1.13</SPAN></P><P><SPAN>&nbsp;</SPAN></P><P><SPAN>Description of issue: During the importing process, I was able to extract the configs from PA firewall onto the Panorama. However, when I tried to commit the configs back to PA firewall from Panorama. The commit would fail, and the reason for the failure is because there’s missing IP addresses in ‘Objects’.</SPAN></P><P>&nbsp;</P><P><SPAN>Following is the commit error</SPAN></P><P>&nbsp;</P><P><SPAN>rulebase -&gt; nat -&gt; rules -&gt; AESG-DNAT-P157-2 -&gt; destination 'Host_13.55.26.51-32' is not an allowed keyword</SPAN></P><P><SPAN>&nbsp;&nbsp;&nbsp; rulebase -&gt; nat -&gt; rules -&gt; AESG-DNAT-P157-2 -&gt; destination Host_13.55.26.51-32 is an invalid ipv4/v6 address</SPAN></P><P><SPAN>&nbsp;&nbsp;&nbsp; rulebase -&gt; nat -&gt; rules -&gt; AESG-DNAT-P157-2 -&gt; destination Host_13.55.26.51-32 invalid range start IP</SPAN></P><P><SPAN>&nbsp;&nbsp;&nbsp; rulebase -&gt; nat -&gt; rules -&gt; AESG-DNAT-P157-2 -&gt; destination 'Host_13.55.26.51-32' is not a valid reference</SPAN></P><P><SPAN>&nbsp;&nbsp;&nbsp; rulebase -&gt; nat -&gt; rules -&gt; AESG-DNAT-P157-2 -&gt; destination is invalid</SPAN></P><P>&nbsp;</P><P><SPAN>Error: Failed to find address 'Host_13.55.26.51-32'</SPAN></P><P><SPAN>&nbsp;&nbsp;&nbsp; Error: Unknown address 'Host_13.55.26.51-32'</SPAN></P><P><SPAN>&nbsp;&nbsp;&nbsp; Error: Failed to parse nat policy</SPAN></P><P><SPAN>&nbsp;&nbsp;&nbsp; (Module: device)</SPAN></P><P><SPAN>&nbsp;&nbsp;&nbsp; Config 'AGENT-CONFIG':</SPAN></P><P><SPAN>&nbsp;&nbsp;&nbsp; GlobalProtect App Dynamic Configuration misses information for 'show-system-tray-notifications'.</SPAN></P><P><SPAN>&nbsp;&nbsp;&nbsp; (Module: sslvpn)</SPAN></P><P><SPAN>&nbsp;&nbsp;&nbsp; Commit failed</SPAN></P><P>&nbsp;</P><P><SPAN>it seems like the problem is with the missing objects during the importing process. As an example, the total amount of addresses on the firewall is 490. However, we can only see 460 after the configs have been copied over from Panorama to the firewall.</SPAN></P><P>&nbsp;</P><P><SPAN>We have also tried adding&nbsp;&nbsp;Host_13.55.26.51-32' manually to panorama as a shared object but still cannot commit&nbsp;</SPAN></P><P>&nbsp;</P><P><SPAN>we did upgrade our Panorama firmware recently from 9.0.4 --- &gt; 9.0.7. And our firewall firmware from 8.0.13 -&gt; 8.1.13</SPAN></P> Mon, 27 Apr 2020 03:48:34 GMT https://live.paloaltonetworks.com/t5/general-topics/panorama-commit-and-push-to-firewall-fails-with-error/m-p/324961#M82912 Jatin.Singh 2020-04-27T03:48:34Z https://live.paloaltonetworks.com/t5/general-topics/panorama-commit-and-push-to-firewall-fails-with-error/m-p/325497#M83002 <P>Push the templates first, then push the policy</P><P>&nbsp;</P><P>(Also please don't put your subject in all caps, this is a professional forum <span class="lia-unicode-emoji" title=":winking_face:">😉</span> )</P> Thu, 30 Apr 2020 10:57:51 GMT https://live.paloaltonetworks.com/t5/general-topics/panorama-commit-and-push-to-firewall-fails-with-error/m-p/325497#M83002 reaper 2020-04-30T10:57:51Z