02-09-2018 04:09 AM
HI @jdprovine
they can live side by side
02-09-2018 05:50 AM
So I can rename my custom one and cause not issues, cause right now they are named exactly the same. I cannot see both like you can. I want to avoid having the same issue I am having now when someone created a custome BR, created a rule with it, deleted the rule , and deleted the custom BR and that is what caused my autocommit to fail
02-09-2018 07:36 AM
02-09-2018 07:44 AM
My plan is to give the custom region another name, reassign the rules that have it to the built in region, delete the custom region and the preform the CLI that will clean up the issue as preposed by TAC. FYI I was not the creator of the custom region, the downside of having more than one administrator LOL
02-12-2018 11:17 AM - edited 02-12-2018 12:25 PM
I changed the name of my custom region from US to US-Custom and commited the change - under objects/region.
In the CLI it went from this, then i changed a couple of my rules to US (United States) and the rule broke any ideas what went wrong? Why would changing of a custom regions name create another ID?
ID Name
---------- --------------------
1024 vsys1+BR
1025 vsys1+US
To this
ID Name
---------- --------------------
1024 vsys1+BR
1025 vsys1+US
1026 vsys1+US-Custom
Type: 36 Last id: 1027 Mismatch cnt: 0
02-12-2018 12:51 PM
If you go into configure mode and run 'Show Region' what actually shows up. Those would be your 'Custom' regions.
02-12-2018 12:56 PM
The name i changed it too -
old name US
new name US- Custom (this show when I go into configure mode and run show region
02-12-2018 12:57 PM
Then you should be perfectly fine and the new 'US' is simply the default entry getting put back into the configuration.
02-12-2018 01:02 PM - edited 02-12-2018 01:10 PM
So I should be able to add the built in use and it should work right? Isn't this say that there are now two custom regions with two different ID's?
1025 vsys1+US
1026 vsys1+US-Custom
According to this output when I changed the name of an existing custom region it created another ID for it in the ID manager
02-12-2018 01:06 PM
I guess I'm lost on what command you are running to even get that? If the 'show region' command only shows the US-Custom entry then the US is not a custom region.
02-12-2018 01:09 PM - edited 02-12-2018 01:13 PM
This was the command that TAC had been run to get the following results of what is in the ID manager
debug device-server dump idmgr type vsys-region all
ID Name
---------- --------------------
1024 vsys1+BR
1025 vsys1+US
1026 vsys1+US-Custom
Type: 36 Last id: 1027 Mismatch cnt: 0
According to this output when I changed the name of an existing custom region it created another ID for it in the ID manager
02-12-2018 01:24 PM
Okay that makes more sense. It has to do with the way idmgr functions until you restart the device. Since 'US' effectively adds itself back in when you changed the entry idmgr doesn't see it the same as it would if you restart the device all-together. Once the device is restarted and the autocommit process goes through again you'll see vsys1+US drop off from idmgr.
02-12-2018 01:34 PM
These were the steps that TAC told me to use
Part I
1. Update the custom region US to US-Custom
2. See if the US-Custom and US are now options that show up in the list
3. Change the security policies from US-Custom to US
4. Delete custom region
5. debug device-server reset id-manager type vsys-region
6. configure/commit force
I did this
1. Update the custom region US to US-Custom -commit
2. See if the US-Custom and US are now options that show up in the list
3. Change the security policies from US-Custom to US
02-12-2018 01:41 PM
I think I retraced your steps
so i had a custom object, which was named 'BE' and then renamed to 'BE-custom'
what happens is that the 'built in' region keeps existing, but it's no longer a custom object because you renamed that:
reaper@PA-220> debug device-server dump idmgr type vsys-region all ID Name ---------- -------------------- 1024 vsys1+home 1025 vsys1+BE 1026 vsys1+be Type: 36 Last id: 1027 Mismatch cnt: 0 reaper@PA-220> debug device-server dump idmgr type vsys-region all ID Name ---------- -------------------- 1024 vsys1+home 1025 vsys1+BE 1026 vsys1+be 1027 vsys1+BE-custom
if you then use the original region in policy, your commit fails, bcause it's actually no longer a valid object (you renamed it)
Details vsys1 Error: Failed to find address 'BE' Error: Unknown address 'BE' Error: Failed to parse security policy (Module: device) Commit failed
so you shouldn't make a region object named identically as an existing region and then afterwards (after your first commit) renaming it, unless you first reboot or reset the id-manager:
reaper@PA-220> debug device-server reset id-manager type all All ID manager is unset! Please commit the config again. reaper@PA-220> configure Entering configuration mode [edit] reaper@PA-220# commit force Commit job 35103 is in progress. Use Ctrl+C to return to command prompt ................................55%.....70%...98%............100% Configuration committed successfully [edit] reaper@PA-220# exit Exiting configuration mode reaper@PA-220> debug device-server dump idmgr type vsys-region all ID Name ---------- -------------------- 1024 vsys1+home 1025 vsys1+BE-custom 1026 vsys1+be Type: 36 Last id: 1027 Mismatch cnt: 0
so if you need to change a region object as above, make sure to reset the id-manager before attempting to re-use the original region name
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
