Commit error After PANOS10.1.10 upgrade

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Palo Alto Networks Approved
Palo Alto Networks Approved
Community Expert Verified
Community Expert Verified

Commit error After PANOS10.1.10 upgrade

L2 Linker

After upgrading from PANOS 10.1.8-h2 to 10.1.10 we start getting the following commit error.

  • profiles -> spyware -> sink-alert -> botnet-domains -> dns-security-categories is invalid. Missing pre-defined DNS security category

Any idea to correct this error?

10 REPLIES 10

Community Team Member

Hi @Lance ,

 

There's a bug in 10.1.10 for this error.

 

I'd recommend reaching out to support to confirm if you're hitting the exact bug and get updates on its fix release or go to PAN-OS 10.1.9-h3 which is the preferred release at the moment of this writing:

 

https://live.paloaltonetworks.com/t5/customer-resources/support-pan-os-software-release-guidance/ta-...

 

Kind regards,

-Kim.

LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

L0 Member

we had a similar issue and we went into the anti-spyware profile to the dns exceptions tab, checked the check boxes at the bottom for the dns signature excpetions, clicked ok and commit and push.

 

L2 Linker

cordial Greetings

Team

The error you mention, in my case, was solved by updating the content, specifically the apps and Threats update.

L0 Member

There is a bug, with a work-around.  Check out this -->  https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000kIDfCAM

Dear Kiwi,

I tried the workaround and all other mentioned solutions here by changing parameters back and forth, but unfortunately i cant solve this warning.

-) changing the action like mentioned in Commit warning "dns-security-categories is invalid. Missing pre-defined DNS security category" (palo...did not help.

-) changing the sinkhole address

-) enabling /disabling a dns exception

-) adding / removing a FQDN exception

 

This customer is currently on 10.1.10, due to other limitations we are waiting for 10.2.6-hx / 10.2.7 before upgrading but i cannot find any known or addressed issue in 10.1.10 / 10.1.10-h1 / 10.1.10-h2 or 10.1.11 - like you mentioned its a known bug in 10.1.10, do you have the bug id?

Thanks,

You need the latest content updates for threats and applications and need to click through the tabs of each custom spyware profile and click on OK afterwards (not cancel), you dont even need to change anything. after that you commit and it should work fine.

I found the cause for the Error now: Its a Panorama environment and the Firewalls are renewing the content updates every day via shedule, but in the Panorama itself the content update was not up-to-date. I updated it on panorama and went trough all Tabs in alle AS-Profiles and commited and pushed to the Devices and now its gone.

So it was missing the content update in Panorama not on the Firewalls.

Thank you!

L0 Member

Adrian,

Thank you for your update.  You saved me a PA TAC call 🙂

Clicking every tab and using OK vs Cancel, then commit is a requirement for this to work.

Nice Tim! Great to know that my findings could help someone.

 

Thank you. Going through the listed Anti-Spyware profile tabs and clicking "OK" did it for me. 

  • 8810 Views
  • 10 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!