on 10.1.6-h3 I'm able to create custom regions, but i need to click 'create' explicitly and then i need to manually delete 'None' before i can enter an IP
Hi @Adrian_Jensen ,
Which version are you running ?
For reaper it seems to be working fine in 10.1.6-h3.
I'm testing it on 11.1.6 and it's working as well.
@KurtHinson , I don't get the "OK" to appear until I click "Create ****" first and then click outside the window. Only then does the OK button appears and the custom object appears in my Region list once I click OK.
Once I click OK they end up in my Regions list :
Hope this helps,
Hello @kiwi
I am running 10.2.9-h21 across my firewalls. 3 of them had this problem (1 stand-alone, 1 HA pair) with not being able to view/add/delete IP address entries from an existing custom region object. I could add a new region object, but not add IP addresses to those either. When trying to add/delete you would just get a red box around the address field. The stand-alone was fixed after a reboot do to a major failure (more on that in a minute), the HA pair seems to have fixed itself after generating a tech support file. Unfortunately, I don't have screenshots at the time, but this is what is looked like:
Trying to add an entry to an existing object (or new object):
Based on some KBs and previous threads discussing errors with duplicate custom/default region names causing commit and edit problems, I ran a "debug device-server reset id-manager type vsys-region" and "debug device-server reset id-manager type all" on my standalone firewall, to try to reset the custom region object list. This caused all traffic matching the "CDN" custom region to start being denied in the matching allow Security rule. I deleted the CDN object and all Security rule references, which caused traffic to show as allowed again in the appropriate rules, but my VPN ends users still couldn't access internal/external resources. Traffic logs showed the traffic flowing in both directions, but it appeared the firewall wasn't actually forwarding return traffic back to the end user.
I was forced to reboot the firewall, at which point everything started working normally and I could add/delete entries from custom region again in the stand-alone firewall. I opened a ticket with PA support. In prep for discussing with support, I also generated a TSF on both my HA firewall. Afterwards I found I could edit custom region entries again. I hadn't made any changes on the HA up to that point, so it appears the TSF generation somehow fixed the HA system. I have since successfully added entries on the HA.
This "unable to edit region entries" problem is very similar to a known issue with Panorama that was fixed in an earlier PAN-OS release. I haven't been able to find a release note for anything else similar. PA support says the id-manager reset should have been harmless and is what they would have suggested, they are still researching known issues.
