Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
09-18-2020 12:08 PM
I am using Expedition 1.1.80 to make bulk changes to Security Profile Groups that are used on rules. Once the changes are made I am using the API Output Manager to push the changes back to Panorama. Once this is done and I am sure the old security profile groups are no longer used I delete them. This works just fine most of the time but there are times where when I choose to delete the groups Pano comes back and tells me the groups are still used in rules. When I check the rules they are indeed using the NEW groups, not the old groups. The way to fix this is to just open the rules and save them again and the problem goes away. The problem with this approach is sometimes we are talking about 50 rules this needs to be done on and that defeats the whole point of automation using Expedition.
Any thoughts on what might be causing this and how to fix it?
09-18-2020 01:25 PM
@aporue This might be related to PAN-OS API, the workaround is you can save the candidate config from Panorama and load the candidate file back again, then you should be able to commit to panorama without errors.
09-20-2020 01:39 PM
Thanks for the quick reply. I do want to make sure that you fully understand the issue. I am not having any problem committing to Panorama or when pushing to the firewalls after exporting the API output back to Panorama. The problem is that I am trying to delete security profile groups that are no longer used in the rules but Panorama is claiming they are still being used. Currently, the only way to fix that is to open each rule that is erroring on and save it.
Are you saying that saving the candidate config and reloading it will solve this issue?
Thanks.
09-20-2020 11:50 PM
yes, with exporting the candiate-config and a reimport of the same, the Panorama DB which hold the configuration is refreshed.
Please be informed that this issue you are running into, is not an Expedition issue.
So we from Expedition team can only give you advise how you can use the work around,
so that you can continue your work.
For more problem solving part please open a Palo Alto Networks Tac case related to PAN-OS API.
regards
Sven
--------------------
Solutions Engineer - Expedition
09-23-2020 01:38 PM
Just an FYI that I was able to simply delete the security profile groups via the CLI and got no complaints from Panos so that fixed the issue.
09-24-2020 02:41 AM
I would like to collect a bit of information about this issue. Could you share thePANOS version that got affected in this issue?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
