https://live.paloaltonetworks.com/t5/general-topics/problem-with-panorama-pushed-updates/m-p/374056#M89011 <P>Hello all,</P><P>&nbsp;</P><P>i have problems with the security policy push.</P><P>When i try to push them the commits fails with :</P><P>&nbsp;</P><UL><LI><STRONG>.<SPAN>&nbsp;</SPAN></STRONG>Validation Error:</LI><LI><STRONG>.<SPAN>&nbsp;</SPAN></STRONG>rulebase -&gt; security -&gt; rules -&gt; ms-ad -&gt; destination 'offices-subnet' is not an allowed keyword</LI><LI><STRONG>.<SPAN>&nbsp;</SPAN></STRONG>rulebase -&gt; security -&gt; rules -&gt; ms-ad -&gt; destination offices-subnet is an invalid ipv4/v6 address</LI><LI><STRONG>.<SPAN>&nbsp;</SPAN></STRONG>rulebase -&gt; security -&gt; rules -&gt; ms-ad -&gt; destination offices-subnet invalid range start IP</LI><LI><STRONG>.<SPAN>&nbsp;</SPAN></STRONG>rulebase -&gt; security -&gt; rules -&gt; ms-ad -&gt; destination 'offices-subnet' is not a valid reference</LI><LI><STRONG>.<SPAN>&nbsp;</SPAN></STRONG>rulebase -&gt; security -&gt; rules -&gt; ms-ad -&gt; destination is invalid</LI><LI><STRONG>.<SPAN>&nbsp;</SPAN></STRONG>vsys1</LI><LI><STRONG>.<SPAN>&nbsp;</SPAN></STRONG>Error: Failed to find address 'offices-subnet'</LI><LI><STRONG>.<SPAN>&nbsp;</SPAN></STRONG>Error: Unknown address 'offices-subnet'</LI><LI><STRONG>.<SPAN>&nbsp;</SPAN></STRONG>Error: Failed to parse security policy</LI><LI><STRONG>.<SPAN>&nbsp;</SPAN></STRONG>(Module: device)</LI><LI><STRONG>.<SPAN>&nbsp;</SPAN></STRONG>Commit failed</LI></UL><P>it happens with all shared addresses and address-groups. when i remove them, i mean when i push the polices without source/destination address configured, the commit is completed.</P><P>&nbsp;</P><P>&nbsp;</P> Sun, 13 Dec 2020 16:43:07 GMT stef 2020-12-13T16:43:07Z https://live.paloaltonetworks.com/t5/general-topics/problem-with-panorama-pushed-updates/m-p/374056#M89011 <P>Hello all,</P><P>&nbsp;</P><P>i have problems with the security policy push.</P><P>When i try to push them the commits fails with :</P><P>&nbsp;</P><UL><LI><STRONG>.<SPAN>&nbsp;</SPAN></STRONG>Validation Error:</LI><LI><STRONG>.<SPAN>&nbsp;</SPAN></STRONG>rulebase -&gt; security -&gt; rules -&gt; ms-ad -&gt; destination 'offices-subnet' is not an allowed keyword</LI><LI><STRONG>.<SPAN>&nbsp;</SPAN></STRONG>rulebase -&gt; security -&gt; rules -&gt; ms-ad -&gt; destination offices-subnet is an invalid ipv4/v6 address</LI><LI><STRONG>.<SPAN>&nbsp;</SPAN></STRONG>rulebase -&gt; security -&gt; rules -&gt; ms-ad -&gt; destination offices-subnet invalid range start IP</LI><LI><STRONG>.<SPAN>&nbsp;</SPAN></STRONG>rulebase -&gt; security -&gt; rules -&gt; ms-ad -&gt; destination 'offices-subnet' is not a valid reference</LI><LI><STRONG>.<SPAN>&nbsp;</SPAN></STRONG>rulebase -&gt; security -&gt; rules -&gt; ms-ad -&gt; destination is invalid</LI><LI><STRONG>.<SPAN>&nbsp;</SPAN></STRONG>vsys1</LI><LI><STRONG>.<SPAN>&nbsp;</SPAN></STRONG>Error: Failed to find address 'offices-subnet'</LI><LI><STRONG>.<SPAN>&nbsp;</SPAN></STRONG>Error: Unknown address 'offices-subnet'</LI><LI><STRONG>.<SPAN>&nbsp;</SPAN></STRONG>Error: Failed to parse security policy</LI><LI><STRONG>.<SPAN>&nbsp;</SPAN></STRONG>(Module: device)</LI><LI><STRONG>.<SPAN>&nbsp;</SPAN></STRONG>Commit failed</LI></UL><P>it happens with all shared addresses and address-groups. when i remove them, i mean when i push the polices without source/destination address configured, the commit is completed.</P><P>&nbsp;</P><P>&nbsp;</P> Sun, 13 Dec 2020 16:43:07 GMT https://live.paloaltonetworks.com/t5/general-topics/problem-with-panorama-pushed-updates/m-p/374056#M89011 stef 2020-12-13T16:43:07Z https://live.paloaltonetworks.com/t5/general-topics/problem-with-panorama-pushed-updates/m-p/374069#M89012 <P>Hi,</P><P>&nbsp;</P><P>As per below logs I can assume that IP address /subnets were not properly defined or binded or might be wrong IPs</P><P>&nbsp;</P><P>Best Regards,</P><P>Suresh</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Sun, 13 Dec 2020 18:39:49 GMT https://live.paloaltonetworks.com/t5/general-topics/problem-with-panorama-pushed-updates/m-p/374069#M89012 SureshReddyM 2020-12-13T18:39:49Z https://live.paloaltonetworks.com/t5/general-topics/problem-with-panorama-pushed-updates/m-p/374070#M89013 <P>if it was just one address ok , but there is 1000+ records.&nbsp;</P><P>They used to worked before.&nbsp;&nbsp;</P> Sun, 13 Dec 2020 19:01:49 GMT https://live.paloaltonetworks.com/t5/general-topics/problem-with-panorama-pushed-updates/m-p/374070#M89013 stef 2020-12-13T19:01:49Z https://live.paloaltonetworks.com/t5/general-topics/problem-with-panorama-pushed-updates/m-p/374072#M89014 <P>Did it all of a sudden stop working or is this a new implementation or upgrade?</P><P>&nbsp;</P><P>One thing to look for is that on the local firewall Panorama is allowed to push Objects:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="BeardedTree_0-1607889655009.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/29117i9BC78338D5C17C05/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="BeardedTree_0-1607889655009.png" alt="BeardedTree_0-1607889655009.png" /></span></P><P>As you're stating a blank push of a firewall policy without objects is working I believe this is enabled.</P><P>Make sure the Object or Object-Group you're trying to push out isn't bound to a certain firewall but is in the "Shared" object space or Object specifically for that FW.</P><P>If the item is a group containing more IP's, FQDN's or Objects it never hurts to check if the actually sub-objects for errors.</P> Sun, 13 Dec 2020 20:06:42 GMT https://live.paloaltonetworks.com/t5/general-topics/problem-with-panorama-pushed-updates/m-p/374072#M89014 Retired Member 2020-12-13T20:06:42Z https://live.paloaltonetworks.com/t5/general-topics/problem-with-panorama-pushed-updates/m-p/374073#M89015 <P>They are all shared.</P><P>If i create new shared one and push it it is work .&nbsp;</P> Sun, 13 Dec 2020 20:44:28 GMT https://live.paloaltonetworks.com/t5/general-topics/problem-with-panorama-pushed-updates/m-p/374073#M89015 stef 2020-12-13T20:44:28Z https://live.paloaltonetworks.com/t5/general-topics/problem-with-panorama-pushed-updates/m-p/374108#M89019 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/156321">@stef</a>,</P> <P>Is the offices-subnet the only object that you are having an issue with, or is it all of your address and address-group objects? It's not entirely clear from your earlier posts, but I'm assuming that this object is an address-group made up of a bunch of different address objects representative of all of your individual offices. When the commits started to fail, have you logged at the system logs and verified that nobody added in a new range that invalidated the entry? The error in your first post would indicate that someone simply fat fingered an IP address.&nbsp;</P> Mon, 14 Dec 2020 05:05:22 GMT https://live.paloaltonetworks.com/t5/general-topics/problem-with-panorama-pushed-updates/m-p/374108#M89019 BPry 2020-12-14T05:05:22Z https://live.paloaltonetworks.com/t5/general-topics/problem-with-panorama-pushed-updates/m-p/374112#M89022 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/43480">@BPry</a>&nbsp;</P><P>this is only the example. It is address not address set .&nbsp; But the problem is with all other addresses and address-groups to</P><P>For example if i remove "<SPAN>offices-subnet" witch is configured as&nbsp; source subnet the error appear for the destination one witch is different&nbsp;and when i remove the destination one the error appear for the source&nbsp;object of the next policy, and so on and so on.</SPAN></P><P>If i create new address-group or address and populate it in the policy there is no problem.&nbsp;</P> Mon, 14 Dec 2020 05:49:31 GMT https://live.paloaltonetworks.com/t5/general-topics/problem-with-panorama-pushed-updates/m-p/374112#M89022 stef 2020-12-14T05:49:31Z https://live.paloaltonetworks.com/t5/general-topics/problem-with-panorama-pushed-updates/m-p/374299#M89036 <P>How were the object created initially? The way you're explaining it sounds to me like an import gone wrong where the firewall/Panorama did load the Object but something is "off" with the way it's in the running XML.</P> Mon, 14 Dec 2020 20:04:03 GMT https://live.paloaltonetworks.com/t5/general-topics/problem-with-panorama-pushed-updates/m-p/374299#M89036 Retired Member 2020-12-14T20:04:03Z https://live.paloaltonetworks.com/t5/general-topics/problem-with-panorama-pushed-updates/m-p/374300#M89037 <P>Another quick thought would be a Panorama running a newer version and using features that are not supported on the firewall you're pushing it to.</P> Mon, 14 Dec 2020 20:06:26 GMT https://live.paloaltonetworks.com/t5/general-topics/problem-with-panorama-pushed-updates/m-p/374300#M89037 Retired Member 2020-12-14T20:06:26Z https://live.paloaltonetworks.com/t5/general-topics/problem-with-panorama-pushed-updates/m-p/374301#M89038 <P>I import them via cli.</P><P>They used to work</P> Mon, 14 Dec 2020 21:38:48 GMT https://live.paloaltonetworks.com/t5/general-topics/problem-with-panorama-pushed-updates/m-p/374301#M89038 stef 2020-12-14T21:38:48Z https://live.paloaltonetworks.com/t5/general-topics/problem-with-panorama-pushed-updates/m-p/375770#M89215 <P>Hello,</P><P>&nbsp;</P><P>updating panorama to 9.1.6 and Restart configd daemon fixed the issue .</P><P>Thank you all</P> Tue, 22 Dec 2020 08:53:30 GMT https://live.paloaltonetworks.com/t5/general-topics/problem-with-panorama-pushed-updates/m-p/375770#M89215 stef 2020-12-22T08:53:30Z