Export via API not allowing Security Profile Groups to be deleted in Pano

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Please sign in to see details of an important advisory in our Customer Advisories area.

Export via API not allowing Security Profile Groups to be deleted in Pano

L3 Networker

I am using Expedition 1.1.80 to make bulk changes to Security Profile Groups that are used on rules. Once the changes are made I am using the API Output Manager to push the changes back to Panorama. Once this is done and I am sure the old security profile groups are no longer used I delete them. This works just fine most of the time but there are times where when I choose to delete the groups Pano comes back and tells me the groups are still used in rules. When I check the rules they are indeed using the NEW groups, not the old groups. The way to fix this is to just open the rules and save them again and the problem goes away. The problem with this approach is sometimes we are talking about 50 rules this needs to be done on and that defeats the whole point of automation using Expedition.


Any thoughts on what might be causing this and how to fix it?


L6 Presenter

@aporue This might be related to PAN-OS API, the workaround is you can save the candidate config from Panorama and load the candidate file back again, then you should be able to commit to panorama without errors. 

Thanks for the quick reply. I do want to make sure that you fully understand the issue. I am not having any problem committing to Panorama or when pushing to the firewalls after exporting the API output back to Panorama. The problem is that I am trying to delete security profile groups that are no longer used in the rules but Panorama is claiming they are still being used. Currently, the only way to fix that is to open each rule that is erroring on and save it.


Are you saying that saving the candidate config and reloading it will solve this issue?



yes, with exporting the candiate-config and a reimport of the same, the Panorama DB which hold the configuration is refreshed.

Please be informed that this issue you are running into, is not an Expedition issue.
So we from Expedition team can only give you advise how you can use the work around,
so that you can continue your work.

For more problem solving part please open a Palo Alto Networks Tac case related to PAN-OS API.


Solutions Engineer - Expedition

Just an FYI that I was able to simply delete the security profile groups via the CLI and got no complaints from Panos so that fixed the issue.

I would like to collect a bit of information about this issue. Could you share thePANOS version that got affected in this issue?

It is PANOS 9.07

  • 6 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!