07-19-2021 11:21 PM
Hi Experts,
We've a pair of firewalls (9.1.6) managed by the Panorama (9.1.6). We've Threat prevention license in place and client would like to install just the threats and not the apps by selecting disable the new apps in content update.
As recommended by the TAC, we've downloaded the latest version and when installing the new version, we select the disable new apps in content update on the firewalls. Then, similar procedure followed on the Panorama.
Once done, Panorama doesn't allow us to commit any changes to the firewalls prompting us with an error message that apps need to be enabled on the firewalls. We need to run the below commands to install the changes.
request set-application-status-recursive status enabled application (name) status enabled
We've shared TSF with the TAC. Am I missing something? Can someone please assist or correct me if I'm wrong.
Thanks in advance.
07-22-2021 10:29 AM
What is the exact error that you get in Panorama?
I understand your issue.. but we need a little more info to get to a resolution.
07-23-2021 07:21 AM - edited 07-23-2021 07:22 AM
Hi Joe
Many thanks for looking into this.
When we commit, it reaches 70% and gets failed under warning with a list of 'Disabled Applications'. TAC has been engaged with the TSF file and they're also not sure on the root cause at this stage.
Should we need to select 'disable content apps' in both the firewalls & Panorama or just the Panorama would work? Can you please share the best practice or recommendation of PA?
Note: We use static application/application groups, not just the application-groups. Also, ours is a mission critical network (no outages are entertained). Thanks in advance
07-23-2021 01:15 PM - edited 07-23-2021 03:00 PM
I am not 100% sure on the location when using Panorama.. but there are a couple of places to ensure that these are disabled properly..
Please see this Tips and Tricks we wrote about this here:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClSgCAK
I will try to verify the settings for Panorama and let you know.
And as far as that "error" what is it exacty?
and when it lists out what is "disabled", usually that shows up as a "warning" and not an error. Just to clarify.
07-23-2021 03:02 PM
I did find this article about shared device groups and applications.. not sure if this helps at all..
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PNinCAG
07-23-2021 10:09 PM
Hi Joe
Thanks for the reply. We were getting a commit error when Pushing configuration from Panorama to the Firewalls. The error stated that "some apps were already in use and were invalid"
Does it because of the duplicate entries of disabling in both the Firewalls and Panorama? Or just disabling in firewalls would work?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
