Error in commit after upgrade to 10.1.5-h1

Kaj.Lehtinen · ‎04-11-2022

After upgrade from a PA850 from 10.1.5 to 10.1.5-h1 in the end of last week we no longer can commit new configs 😞

It gives the following error when we try to commit.

Validation Error:
rulebase -> security -> rules -> Block xxx -> hip-profiles unexpected here
rulebase -> security -> rules is invalid

We've reverted to running config, tried again, still the same error. We've tried to restart the management-server with the following command

debug software restart process management-server

Without any luck, tried rebooting the whole unit, still the same result. Anyone else that has similar problem with 10.1.5-h1 OS?

The unit is standalone, so no Panorama involved, as there is a couple of references to the errormessage coupled with panorama.

Saw some mention in that this is bug PAN-171869 that is supposed to be fixed in 10.1.5 but perhaps was reintroduced with -h1?

/Kaj

Ben-Price · ‎04-12-2022

@Kaj.Lehtinen I re-imported the whole rule base. Didn't have to re-name anything. I followed the below process:

1. Take a backup of the current configuration

2. Export current config XML

3. Open in a text editor and find all rules with incorrect hip-profile XML tags, delete hip-profile XML tags as pictured below

<hip-profiles>

</hip-profiles>

4. Save the XML config file, re-import to the firewall and try to commit.

View solution in original post

HaleyDignan · ‎04-14-2022

I upgraded to 10.1.5-h1 and got the error hip-profile unexpected here. Support said its related to PAN-189221.

At this time the workaround is accomplished by:
1. going to the cli
2. Entering configure mode
> configure
#
3. running the following command
# load config from running-config.xml
4. and running a commit force
# commit force
This is so that it will discard all "hip-profiles unexpected here" in security rules and you can commit the change.

I completed these steps on Panorama and it removed the hip-profiles

View solution in original post

BPry · ‎04-11-2022

@Kaj.Lehtinen,

Usually this issue post an upgrade is simply a bad configuration migration during the upgrade process. If you export the configuration in XML format at look at the reference entry, do you notice anything out of place? If you temporarily remove the specified rule are you able to pass validation and commit and then just add the rule back in? Have you tried simply opening the rule in the GUI and clicking on "Ok" to let the firewall rebuild that entry and see if the configuration validates successfully?

LAYER_8 · ‎04-11-2022

I've seen this error in a 10.1->9.1 downgrade process.

I had to delete the values in the 10.1 policy, commit, and recreate them in 9.1.

Quick question, you wouldn't happen to have any destination HIP profiles configured, would you? In 10.0+ that's typically used for quarantine features, and have seen errors as a result in 10.0+ environments.

Help the community! Add tags & mark solutions please.

Kaj.Lehtinen · ‎04-11-2022

Hi!

Good suggestions - I have tried deleting the security rule in question and commit, didnt help, it just started to complain about the next rule. Reverted back and its still there.

Just tried your suggestion on pressing OK in the rule and I get a error on that operation, it says "Operation failed - Block xxx -> hip-profiles unexpected here' so it wont let me edit the rule even.

Is there a way to only export the security rules? When looking at them in the CLI i notice that a lot of them has 'hip-profiles any' defined and that I saw in a other threat shouldnt be there ... but since the firewall dont support them beeing there then it doesnt have a command of removing them either .... 😞

Kaj.Lehtinen · ‎04-11-2022

As far as I know we don't have any HIP profiles at all in use, isnt HIP profiles something related to GlobalProtect client? Not using GlobalProtect and when checking in GUI under Objects, GlobalProtect its empty in both HIP Objects and HIP Profiles.

Error in commit after upgrade to 10.1.5-h1

Error in commit after upgrade to 10.1.5-h1

Show your appreciation!