The MT retrieved APPs into a locked rule where service=any and after reconciliation, it substitute these APPs into the rule. This didn't happen to all rules, only 2 in like 400 rules with service=any, one has action allow and the other has deny.
There is another issue, the MT log indicates that it edited a locked rule as below
After getting back to this rule, it is locked and the service was any from the beginning and action is deny.
There is also an idea that when a rule action is deny and service=any, there is no need for the MT to do reconciliation in such rules by default.
There is another question: Does performing lock on rules twice may cause any issue? (when using different filters to lock rules, some may appear twice and I usually select all output and lock it)
The "lock" function was added only to avoid changes in the zones when the auto-zone is executed manually to preserve the changes made in the security rules by the tool when was loading the Nats for Cisco, Checkpoint, Fortinet, etc. As you may know some of this vendors for destination nats they use the post-nated ip address in the security rules when Palo Alto needs the pre-nated ip address and then the tool when loads the config automatically calculates the right ip address and then the proper zone. After this changes the tool automatically "locks" those rules to prevent loose the changes when you execute the AutoZone function manually.
hope it helps to clarify, what we can add is an enhancement of this feature to prevent any kind of changes when the rule is looked?
Thanks for your reply. It would be great if the following can be achieved
Do you know that for the app-id adoption you can retrieve apps only for the selected rules? Then the reconcilate it will apply only on those rules.... But we will improve the tool anyway... Thanks
Yes Indeed but when you have 2k+ rules, its hard to manage It that way. You need to exclude some rules from reconciliation then selecting all remaining rules. That could be accomblished using filtering after the last update. Hope you get my point.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!