Export via API not allowing Security Profile Groups to be deleted in Pano

Announcements

ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

Reply
Highlighted
L3 Networker

Export via API not allowing Security Profile Groups to be deleted in Pano

I am using Expedition 1.1.80 to make bulk changes to Security Profile Groups that are used on rules. Once the changes are made I am using the API Output Manager to push the changes back to Panorama. Once this is done and I am sure the old security profile groups are no longer used I delete them. This works just fine most of the time but there are times where when I choose to delete the groups Pano comes back and tells me the groups are still used in rules. When I check the rules they are indeed using the NEW groups, not the old groups. The way to fix this is to just open the rules and save them again and the problem goes away. The problem with this approach is sometimes we are talking about 50 rules this needs to be done on and that defeats the whole point of automation using Expedition.

 

Any thoughts on what might be causing this and how to fix it?

Highlighted
L4 Transporter

@aporue This might be related to PAN-OS API, the workaround is you can save the candidate config from Panorama and load the candidate file back again, then you should be able to commit to panorama without errors. 

Highlighted
L3 Networker

Thanks for the quick reply. I do want to make sure that you fully understand the issue. I am not having any problem committing to Panorama or when pushing to the firewalls after exporting the API output back to Panorama. The problem is that I am trying to delete security profile groups that are no longer used in the rules but Panorama is claiming they are still being used. Currently, the only way to fix that is to open each rule that is erroring on and save it.

 

Are you saying that saving the candidate config and reloading it will solve this issue?

 

Thanks.

Highlighted
L2 Linker

yes, with exporting the candiate-config and a reimport of the same, the Panorama DB which hold the configuration is refreshed.

Please be informed that this issue you are running into, is not an Expedition issue.
So we from Expedition team can only give you advise how you can use the work around,
so that you can continue your work.

For more problem solving part please open a Palo Alto Networks Tac case related to PAN-OS API.

regards

Sven
--------------------
Solutions Engineer - Expedition

Highlighted
L1 Bithead

Just an FYI that I was able to simply delete the security profile groups via the CLI and got no complaints from Panos so that fixed the issue.

Highlighted
L5 Sessionator

I would like to collect a bit of information about this issue. Could you share thePANOS version that got affected in this issue?

Highlighted
L1 Bithead

It is PANOS 9.07

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!