This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Commit Error After Upgrading to 10.0.9

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Commit Error After Upgrading to 10.0.9

SubaMuthuram
L4 Transporter

‎03-07-2022 07:27 AM

Hi Team,

 

Getting below commit validation error after upgrading to PAN-OS 10.0.9. 

 

  • Validation Error:
  • rulebase -> security -> rules -> QUIC_Deny -> hip-profiles unexpected here.

SubaMuthuram_0-1646666519113.png

 

 

Snow
16 people had this problem.
44 REPLIES 44

reaper
Cyber Elite
Cyber Elite

‎03-10-2022 01:20 AM

you should be able to solve this by opening the rule in GUI, and clicking OK

 

If you're a little more adventurous you can go into CLI to see what is configured, and delete the set command that is causing the issue

admin@PANgurus(active)> set cli config-output-format set
admin@PANgurus(active)> configure 
Entering configuration mode
[edit]                                                                                                                                                                                                      
admin@PANgurus(active)# show rulebase security | match hip-profile

 

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

SubaMuthuram
L4 Transporter
In response to reaper

‎03-10-2022 09:39 AM

Hi Reaper,

 

Kindly help me how to delete set command ?

 

Snow
0 Likes Likes

dtran
L4 Transporter

‎03-10-2022 11:43 AM

I am also running into the same issue after upgrading from 9.1.12 to 10.0.9.  Open a S1 ticket with PAN support, called in and still waiting on the phone.

SubaMuthuram
L4 Transporter
In response to dtran

‎03-10-2022 05:25 PM

Hi Dtran,

Thanks, please update us if you are getting any resolution for the same. 

Snow
0 Likes Likes

TomYoung
Cyber Elite
Cyber Elite

‎03-10-2022 05:36 PM - edited ‎03-14-2022 01:34 PM

Hi @SubaMuthuram ,

 

It looks like if you remove the HIP profiles from those security policy rules, the commit will succeed.  You can do that via GUI or CLI.  If you do it by CLI as @reaper suggested, replace the word "set" with "delete" in the command and paste it on the CLI.  You can type "commit" on the CLI when done.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

SubaMuthuram
L4 Transporter
In response to TomYoung

‎03-10-2022 05:52 PM

HI Tom,

 

actually there is no HIP-Profile attached in the security policy. Please refer the below, 

 

SubaMuthuram_0-1646963387169.png

 

If I just click ok in this policy without changing anything, I am getting below error,

 

SubaMuthuram_1-1646963498679.png

Snow
0 Likes Likes

TomYoung
Cyber Elite
Cyber Elite

‎03-10-2022 05:56 PM

Hi @SubaMuthuram ,

 

There may be config lines in the CLI that does not show up in the GUI.  Sometimes the upgrade does not convert the config correctly.  You can follow @reaper steps to verify.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

SubaMuthuram
L4 Transporter
In response to TomYoung

‎03-10-2022 06:01 PM

Hi Tom,

 

Still the same,

 

SubaMuthuram_0-1646964051412.png

 

Not even committing it, Just gave the set command. 

Snow
0 Likes Likes

SubaMuthuram
L4 Transporter
In response to dtran

‎03-11-2022 05:10 AM

Hi Dtran,

 

Did you get any resolution for this ?

 

Snow
0 Likes Likes

TomYoung
Cyber Elite
Cyber Elite
In response to SubaMuthuram

‎03-14-2022 01:32 PM - edited ‎03-14-2022 01:36 PM

Hi @SubaMuthuram ,

 

You're so close!  Please follow @reaper steps to delete the hip-profile commands and your commit should work.  Type in the show command as he specified.  Copy the set commands that follow to a clipboard.  Replace the 1st "set" with "delete" and paste into the CLI.  Type "commit".

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.
0 Likes Likes

dtran
L4 Transporter

‎03-14-2022 02:57 PM

I am still waiting for TAC support.  PaloAlto support is so bad now that I am actually regretting going with PAN

SubaMuthuram
L4 Transporter
In response to dtran

‎03-17-2022 09:19 PM

Hi @dtran ,

 

Any update from the TAC team?, Have you got the resolution ?

Snow
0 Likes Likes

SubaMuthuram
L4 Transporter

‎03-31-2022 02:18 AM

Hi Team,

 

Has anyone have found any resolution for this. 

 

Snow
0 Likes Likes

mprintz
L2 Linker

‎03-31-2022 11:18 AM - edited ‎03-31-2022 11:52 AM

I'm having the same issue after upgrading to 10.1.5 (from 10.1.4-h4).  I tried the steps that @reaper posted, but I get an error in the CLI when trying to delete.  Guess I'll revert back to 10.1.4-h4 until this is resolved.

user@FW_1(active)# delete rulebase security rules "Allow XYZ" hip-profiles any

Invalid syntax.

***Quick update - the downgrade to 10.1.4-h4 fixed the issue and I was able to commit again without removing the hip-profiles from security rules in the CLI.

 

Matt

  • 25707 Views
  • 44 replies
  • 2 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks