Commit Error After Upgrading to 10.0.9

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Commit Error After Upgrading to 10.0.9

L4 Transporter

Hi Team,

 

Getting below commit validation error after upgrading to PAN-OS 10.0.9. 

 

  • Validation Error:
  • rulebase -> security -> rules -> QUIC_Deny -> hip-profiles unexpected here.

SubaMuthuram_0-1646666519113.png

 

 

Snow
44 REPLIES 44

Cyber Elite
Cyber Elite

you should be able to solve this by opening the rule in GUI, and clicking OK

 

If you're a little more adventurous you can go into CLI to see what is configured, and delete the set command that is causing the issue

admin@PANgurus(active)> set cli config-output-format set
admin@PANgurus(active)> configure 
Entering configuration mode
[edit]                                                                                                                                                                                                      
admin@PANgurus(active)# show rulebase security | match hip-profile

 

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Hi Reaper,

 

Kindly help me how to delete set command ?

 

Snow

L4 Transporter

I am also running into the same issue after upgrading from 9.1.12 to 10.0.9.  Open a S1 ticket with PAN support, called in and still waiting on the phone.

Hi Dtran,

Thanks, please update us if you are getting any resolution for the same. 

Snow

Cyber Elite
Cyber Elite

Hi @SubaMuthuram ,

 

It looks like if you remove the HIP profiles from those security policy rules, the commit will succeed.  You can do that via GUI or CLI.  If you do it by CLI as @reaper suggested, replace the word "set" with "delete" in the command and paste it on the CLI.  You can type "commit" on the CLI when done.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

HI Tom,

 

actually there is no HIP-Profile attached in the security policy. Please refer the below, 

 

SubaMuthuram_0-1646963387169.png

 

If I just click ok in this policy without changing anything, I am getting below error,

 

SubaMuthuram_1-1646963498679.png

Snow

Cyber Elite
Cyber Elite

Hi @SubaMuthuram ,

 

There may be config lines in the CLI that does not show up in the GUI.  Sometimes the upgrade does not convert the config correctly.  You can follow @reaper steps to verify.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

Hi Tom,

 

Still the same,

 

SubaMuthuram_0-1646964051412.png

 

Not even committing it, Just gave the set command. 

Snow

Hi Dtran,

 

Did you get any resolution for this ?

 

Snow

Hi @SubaMuthuram ,

 

You're so close!  Please follow @reaper steps to delete the hip-profile commands and your commit should work.  Type in the show command as he specified.  Copy the set commands that follow to a clipboard.  Replace the 1st "set" with "delete" and paste into the CLI.  Type "commit".

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

L4 Transporter

I am still waiting for TAC support.  PaloAlto support is so bad now that I am actually regretting going with PAN

Hi @dtran ,

 

Any update from the TAC team?, Have you got the resolution ?

Snow

L4 Transporter

Hi Team,

 

Has anyone have found any resolution for this. 

 

Snow

L2 Linker

I'm having the same issue after upgrading to 10.1.5 (from 10.1.4-h4).  I tried the steps that @reaper posted, but I get an error in the CLI when trying to delete.  Guess I'll revert back to 10.1.4-h4 until this is resolved.

user@FW_1(active)# delete rulebase security rules "Allow XYZ" hip-profiles any

Invalid syntax.

***Quick update - the downgrade to 10.1.4-h4 fixed the issue and I was able to commit again without removing the hip-profiles from security rules in the CLI.

 

Matt

  • 26152 Views
  • 44 replies
  • 2 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!