04-11-2022 01:21 PM
After upgrade from a PA850 from 10.1.5 to 10.1.5-h1 in the end of last week we no longer can commit new configs 😞
It gives the following error when we try to commit.
We've reverted to running config, tried again, still the same error. We've tried to restart the management-server with the following command
debug software restart process management-server
Without any luck, tried rebooting the whole unit, still the same result. Anyone else that has similar problem with 10.1.5-h1 OS?
The unit is standalone, so no Panorama involved, as there is a couple of references to the errormessage coupled with panorama.
Saw some mention in that this is bug PAN-171869 that is supposed to be fixed in 10.1.5 but perhaps was reintroduced with -h1?
/Kaj
04-12-2022 11:31 PM
@Kaj.Lehtinen I re-imported the whole rule base. Didn't have to re-name anything. I followed the below process:
04-14-2022 10:31 AM
I upgraded to 10.1.5-h1 and got the error hip-profile unexpected here. Support said its related to PAN-189221.
At this time the workaround is accomplished by:
1. going to the cli
2. Entering configure mode
> configure
#
3. running the following command
# load config from running-config.xml
4. and running a commit force
# commit force
This is so that it will discard all "hip-profiles unexpected here" in security rules and you can commit the change.
I completed these steps on Panorama and it removed the hip-profiles
04-11-2022 02:04 PM
Usually this issue post an upgrade is simply a bad configuration migration during the upgrade process. If you export the configuration in XML format at look at the reference entry, do you notice anything out of place? If you temporarily remove the specified rule are you able to pass validation and commit and then just add the rule back in? Have you tried simply opening the rule in the GUI and clicking on "Ok" to let the firewall rebuild that entry and see if the configuration validates successfully?
04-11-2022 02:04 PM
I've seen this error in a 10.1->9.1 downgrade process.
I had to delete the values in the 10.1 policy, commit, and recreate them in 9.1.
Quick question, you wouldn't happen to have any destination HIP profiles configured, would you? In 10.0+ that's typically used for quarantine features, and have seen errors as a result in 10.0+ environments.
04-11-2022 02:09 PM - edited 04-11-2022 10:33 PM
Hi!
Good suggestions - I have tried deleting the security rule in question and commit, didnt help, it just started to complain about the next rule. Reverted back and its still there.
Just tried your suggestion on pressing OK in the rule and I get a error on that operation, it says "Operation failed - Block xxx -> hip-profiles unexpected here' so it wont let me edit the rule even.
Is there a way to only export the security rules? When looking at them in the CLI i notice that a lot of them has 'hip-profiles any' defined and that I saw in a other threat shouldnt be there ... but since the firewall dont support them beeing there then it doesnt have a command of removing them either .... 😞
04-11-2022 02:14 PM
As far as I know we don't have any HIP profiles at all in use, isnt HIP profiles something related to GlobalProtect client? Not using GlobalProtect and when checking in GUI under Objects, GlobalProtect its empty in both HIP Objects and HIP Profiles.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!