Ansible created rules getting "hip-profiles is a duplicate node" when modified through GUI.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Ansible created rules getting "hip-profiles is a duplicate node" when modified through GUI.

L1 Bithead

Panorama is on version 10.0.1 and device is on version 9.1.x.  

 

I am able to create rules in Panorama and the rules are pushed to the device.  Everything looks fine at this point.

When I modify the rules through GUI, like adding a group tag, etc.   Panorama doesn't complain, but pushing to the device always fails with "hip-profiles is a duplicate node".  There is no HIP defined and all the rules has 'any' as 'HIP Profile'.  

 

Version differences might be what's going on here, but I would like to know what the ansbile scripts are doing to causing this issue and find a way to avoid this.

 

has anyone had simliar experience with this?

 

thanks.

1 accepted solution

Accepted Solutions

L0 Member

The issue is because of the "device / hip profile" option for policies introduced in 10?.

I just was not able to find this feature in the release notes... can s/o link it?

 

Panorama knows this new kind of filter:

davidbla_0-1616512607377.png

But your firewall not.
Even if you don't configure it but change smth in the policy, panorama will add a "hip-profiles any;" to the configuration.
And the device, witch does not know about such a configuration option, somehow interprets this as "hip-profile is a duplicate node".
However it also reports back "rules is invalid".

 

I've no idea yet to fix it. I have do overwrite new changes on the firewall directly because I am not able to push this template from panorama.

 

You can easily proove it by using a configuration previev.

 

--edit

we were able to work arround things. this issue seems just to effect for cloned rules.

you can delete these lines from panoama cli before commiting to the firewalls.

View solution in original post

5 REPLIES 5

L0 Member

The issue is because of the "device / hip profile" option for policies introduced in 10?.

I just was not able to find this feature in the release notes... can s/o link it?

 

Panorama knows this new kind of filter:

davidbla_0-1616512607377.png

But your firewall not.
Even if you don't configure it but change smth in the policy, panorama will add a "hip-profiles any;" to the configuration.
And the device, witch does not know about such a configuration option, somehow interprets this as "hip-profile is a duplicate node".
However it also reports back "rules is invalid".

 

I've no idea yet to fix it. I have do overwrite new changes on the firewall directly because I am not able to push this template from panorama.

 

You can easily proove it by using a configuration previev.

 

--edit

we were able to work arround things. this issue seems just to effect for cloned rules.

you can delete these lines from panoama cli before commiting to the firewalls.

thank you, solution verified. 

thanks, solution verified. 

added the WO - just to be precise:

 

 

configure
delete device-group <device group> pre-rulebase security rules "<rule name>" source-hip
delete device-group <device group> pre-rulebase security rules "<rule name>" destination-hip

 

For me it was:

 

delete device-group <device group> pre-rulebase security rules "<rule name>" hip-profiles
  • 1 accepted solution
  • 7131 Views
  • 5 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!