Commit Error After Upgrading to 10.0.9

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Commit Error After Upgrading to 10.0.9

L4 Transporter

Hi Team,

 

Getting below commit validation error after upgrading to PAN-OS 10.0.9. 

 

  • Validation Error:
  • rulebase -> security -> rules -> QUIC_Deny -> hip-profiles unexpected here.

SubaMuthuram_0-1646666519113.png

 

 

Snow
44 REPLIES 44

Yes, in my case most of the rules were also generated using the BPA+ tool, but one of them don't. So maybe it's not just the tool causing this.

L0 Member

1) Save named configuration snapshot

2) Export named configuration snapshot

3) Open saved file in editor and remove

<hip-profiles>
                   <member>any</member>
</hip-profiles>
from authentication rules

4) rename saved file to new name

5) Import named configuration snapshot

6) load config partial mode replace from-xpath devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/rulebase/authentication/rules to-xpath /config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/rulebase/authentication/rules from your_imported_configuration_snapshot.xml
7) validate and commit

 

L0 Member

We just entered the same issue after upgrading our panorama to 10.1.5h5, it's code issue where hip-profiles are changed to be source-hip, we have more than 2k rules impacted manual rule clone doesn't fit for us, so the quickest solution is to load your saved sanpshot:

Step 9 from below link:

https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-upgrade/upgrade-panorama/install-content-and-so...

L0 Member

L3 Networker

Heya

We've gotten the following workaround to fix our issue with 10.1.5h1 on Panorama.

> Panorama will need to perform a commit fix and apply some transforms using the transform script.

Resolution:
> Run the following CLI commands to resolve the validation error, 'hip-profiles expected here'.

>configure
#load config from running-config.xml 
#commit force
<<

 

This workaround is by far better then the copy replace in notepad workaround for all the wrong rules.

Anyhow, even though the fix is quick and simple. One would wish Palo documentation would be update and well documented for this. Also a hotfix for the hotfix would be appreciated.

 

Best regards

Alex

There's no home like 127.0.0.1

Could not change the settings via CLI, I get syntex Error.

So I exportet the XML and removed all

" <hip-profiles>
<member>any</member>
</hip-profiles> "

and loadet it and commit worked.

 

Hi Ederg

 

that work's for me too,

thx

Yordan

L0 Member

I have same issue in Authentication rule too. I solved with export config and edit the notepad++ and remove the the following lines

in rules :

<hip-profiles>
<member>any</member>
</hip-profiles>

...

<source-hip>
<member>any</member>
</source-hip>
<destination-hip>
<member>any</member>
</destination-hip>

and then saved edited xml files and import + load operation and works for me .

 

Thank You.

This solution to: " #load config from running-config.xml   and then to do a #commit force"  , was the only thing that worked for me.

 

@AlexNC   Thank you very much for saving my bacon !!

L1 Bithead

So export/import/load/find/replace aside, if you want to fix the issue right then and there in-place:

 

1. It is a leftover of pre-upgrade configuration which makes commit fail, as the new PAN-OS does not recognise it

2. It is not visible in the GUI, so cannot be removed

3. It cannot be removed with a "delete" command on CLI, because the CLI validation engine does not recognize it and you will get 'invalid syntax'

4. This is a funny debacle on PANW end, sure

5. So what you can do is this. Remove the whole auth policy and re-enter it without the hip-profile element. This can be done manually using GUI or in a more proper way by using the cli and the set format.

 

 

L0 Member

Our Panorama ran into this issue on a device group with 5,000 security policies. I am running 10.1.5 h2 and I resolved this with Expedition by importing and using the API to push just the security rules back to the device group.

L1 Bithead

We've upgraded to 10.1.6 h3 and issue is still there. Common Palo. What the hell? 

L1 Bithead

Spent some time on a call with TAC. It is known issue. The way we got around it is to load the last known "good" configuration (pre upgrade). We have this issues with Panorama and loading "panorama configuration version" and then committing did the trick. TAC uses this as a work around.

L4 Transporter

We faced similar issues again after upgrading Panorama to 10.2.2. If the issue is for Panorama, then before working on editing the configuration file, please try restarting the management service on Panorama. It solved issues for us when Panorama could not push config to the firewalls (Panorama version 10.2.2, Firewalls version 10.1.5)

L4 Transporter

I had this problem last night going from 9.1.x to 10.1.x.  My problem was that all except one of the errors was happening locally and one was happening from Panorama.

This fixed the local ones:

>configure
#load config from running-config.xml
#commit force

 

Going to the rule that was having an issue from Pano and giggling the handle (changing something small - like a tag - on the rule) fixed that one.

 

 

  • 21493 Views
  • 44 replies
  • 2 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!