04-11-2022 01:21 PM
After upgrade from a PA850 from 10.1.5 to 10.1.5-h1 in the end of last week we no longer can commit new configs 😞
It gives the following error when we try to commit.
We've reverted to running config, tried again, still the same error. We've tried to restart the management-server with the following command
debug software restart process management-server
Without any luck, tried rebooting the whole unit, still the same result. Anyone else that has similar problem with 10.1.5-h1 OS?
The unit is standalone, so no Panorama involved, as there is a couple of references to the errormessage coupled with panorama.
Saw some mention in that this is bug PAN-171869 that is supposed to be fixed in 10.1.5 but perhaps was reintroduced with -h1?
/Kaj
04-18-2022 12:38 AM
I can confirm that the procedure described by @HaleyDignan also works in a non Panorama setting, i'e directly on the PanOS firewall
04-19-2022 01:32 AM
The solution works!!
I upgraded from 10.0.8 -> 10.0.10 and ran into this issue.
Followed your steps and I would add a step 5 in is to push to device on panorama or on the device push policy 🙂
You can also view the diff after the fix. in the running config there's a hip-profile, candidate config doesn't.
04-19-2022 04:30 AM
This was the solution TAC provided us and worked, the explanation was:
Starting with PAN-OS 10.0 we added, "destination-hip" (for quarantine feature) and corresponding "source-hip" nodes which replaced the "hip-profiles" node from 9.x and earlier releases. However, hip profiles should not be used from 10.0 and onwards. Scripts should be using source-hip instead.
This is expected behavior, as no migration scripts exist for the same version migration.
The workaround is to run 'load config from running-config.xml' and commit force.
>configure
#load config from running-config.xml
Config loaded from running-config.xml
# commit force
04-30-2022 04:51 AM
It worked for me....😃
Thank you!! I have had multiple cases open with support. Uploaded tech files multiple times. They could verify the issue but no fix. If I could only get those hours of my life back.
05-25-2022 11:00 PM
It's works
Many thanks for you support
05-29-2022 04:17 AM
I was just about to open a case about this exact issue.... thank you for saving me the grief!
PAN: Please update PANOS logic to handle this particular config upgrade automatically and gracefully.
06-28-2022 03:57 PM
ran this verbatim as shown above... no change 😞
paul.dinapoli@panorama.****> configure
Entering configuration mode
[edit]
# load config from running-config.xml
Config loaded from running-config.xml
# commit force
Commit job 179142 is in progress. Use Ctrl+C to return to command prompt
.15%31%85%99%.....
try to run my ansible playbook:
{"changed": false, "msg": "Failed create: *** rule_name *** -> hip-profiles unexpected here"}
07-15-2022 06:59 AM
Hello @HaleyDignan
I ran into the same issue and your workaround worked.
I didn´t upgrade the firewalls yet and I was wondering 2 things:
1. Is this gonna happen also after upgrading firewalls and I´ll have to reload the configuration
2. we have authentication policies configured with HIP profiles=any. Will this change about the hip profiles impact the working authentication policies?
thank you in advance!!
07-15-2022 09:18 AM
1. Is this gonna happen also after upgrading firewalls and I´ll have to reload the configuration - Yes you will need to run the same commands on the firewall after upgrading.
2. we have authentication policies configured with HIP profiles=any. Will this change about the hip profiles impact the working authentication policies? I am not sure.
03-23-2023 11:08 AM
@paul.dinapoli Did you ever find a solution? The "fix" didn't work for me either.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
