Error in commit after upgrade to 10.1.5-h1

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Palo Alto Networks Approved
Palo Alto Networks Approved
Community Expert Verified
Community Expert Verified

Error in commit after upgrade to 10.1.5-h1

L1 Bithead

After upgrade from a PA850 from 10.1.5 to 10.1.5-h1 in the end of last week we no longer can commit new configs 😞

It gives the following error when we try to commit.

  • Validation Error:
  • rulebase -> security -> rules -> Block xxx -> hip-profiles unexpected here
  • rulebase -> security -> rules is invalid

We've reverted to running config, tried again, still the same error. We've tried to restart the management-server with the following command

 

  debug software restart process management-server

 

Without any luck, tried rebooting the whole unit, still the same result. Anyone else that has similar problem with 10.1.5-h1 OS? 

The unit is standalone, so no Panorama involved, as there is a couple of references to the errormessage coupled with panorama.

Saw some mention in that this is bug PAN-171869 that is supposed to be fixed in 10.1.5 but perhaps was reintroduced with -h1?

 

/Kaj 

2 accepted solutions

Accepted Solutions

L4 Transporter

@Kaj.Lehtinen I re-imported the whole rule base. Didn't have to re-name anything. I followed the below process:

 

1. Take a backup of the current configuration
2. Export current config XML
3. Open in a text editor and find all rules with incorrect hip-profile XML tags, delete hip-profile XML tags as pictured below
 
<hip-profiles>
   <member>any</member>
</hip-profiles>
 
4. Save the XML config file, re-import to the firewall and try to commit.

View solution in original post

L0 Member

 I upgraded to 10.1.5-h1 and got the error hip-profile unexpected here.  Support said its related to PAN-189221.

At this time the workaround is accomplished by:
1. going to the cli
2. Entering configure mode
> configure
#
3. running the following command
# load config from running-config.xml
4. and running a commit force
# commit force
This is so that it will discard all "hip-profiles unexpected here" in security rules and you can commit the change.

I completed these steps on Panorama and it removed the hip-profiles

View solution in original post

24 REPLIES 24

Cyber Elite
Cyber Elite

@Kaj.Lehtinen,

Usually this issue post an upgrade is simply a bad configuration migration during the upgrade process. If you export the configuration in XML format at look at the reference entry, do you notice anything out of place? If you temporarily remove the specified rule are you able to pass validation and commit and then just add the rule back in? Have you tried simply opening the rule in the GUI and clicking on "Ok" to let the firewall rebuild that entry and see if the configuration validates successfully? 

L5 Sessionator

I've seen this error in a 10.1->9.1 downgrade process. 

 

I had to delete the values in the 10.1 policy, commit, and recreate them in 9.1. 

 

Quick question, you wouldn't happen to have any destination HIP profiles configured, would you? In 10.0+ that's typically used for quarantine features, and have seen errors as a result in 10.0+ environments. 

Help the community! Add tags and mark solutions please.

Hi!

Good suggestions - I have tried deleting the security rule in question and commit, didnt help, it just started to complain about the next rule. Reverted back and its still there.

Just tried your suggestion on pressing OK in the rule and I get a error on that operation, it says "Operation failed - Block xxx -> hip-profiles unexpected here' so it wont let me edit the rule even.

Is there a way to only export the security rules? When looking at them in the CLI i notice that a lot of them has 'hip-profiles any' defined and that I saw in a other threat shouldnt be there ... but since the firewall dont support them beeing there then it doesnt have a command of removing them either .... 😞

As far as I know we don't have any HIP profiles at all in use, isnt HIP profiles something related to GlobalProtect client? Not using GlobalProtect and when checking in GUI under Objects, GlobalProtect its empty in both HIP Objects and HIP Profiles.  

You could do a few things. The hardest way would be device tab, operations, export config, opening that in a text editor and removing the hip references, saving, uploading, run that edited config.

 

A much easier way might be a purpose built tool like PAN-OS PHP. I also added myself as a watcher for that JIRA issue referenced, if there are updates I will add them here. 

Help the community! Add tags and mark solutions please.

L4 Transporter

@Kaj.Lehtinen @BPry @LAYER_8 I am seeing the same issue after upgrading to 10.1.5-h1 on 4 firewalls. XML looks to OK. Nothing suspicious when examining the pre and post upgrade XML files. Tried everything above and still doesn't commit.

@Ben-Price Check in the XML file for the rules that you has a line in each rule that says "hip-profiles any", thats the culprit as I understand it.... I'e it should be removed. 

L4 Transporter

@Kaj.Lehtinen So I need to add the below XML to each rule or remove?

<hip-profiles>
<member>any</member>
</hip-profiles>
<action>deny</action>
<log-setting>Log Forwarding Profile</log-setting>
<tag>
<member>Inbound</member>
</tag>
<source-hip>
<member>any</member>
</source-hip>
<destination-hip>
<member>any</member>
</destination-hip>
</entry>

 

Pre and post upgrade XML files look to the same, as far as I can see.

Sorry,

 

It should be the other way around the lines should not be there in any rules when running standalone firewall without panorama, I'll edit my response above so other in the future doesnt get tricked. NOTE I have yet to test the fix myself, but  will report back as soon as I have.

L4 Transporter

@Kaj.Lehtinen Thanks for the update. I just tried this 5 minutes ago and can confirm removing the below from the firewall config XML fixed the issue. 

<hip-profiles>
<member>any</member>
</hip-profiles>

@Ben-Price Did you reimport just the affected rules or the whole rulebase? Where you forced to rename the rules that you modified or can it import over existing rules?

 

/Kaj

L4 Transporter

@Kaj.Lehtinen I re-imported the whole rule base. Didn't have to re-name anything. I followed the below process:

 

1. Take a backup of the current configuration
2. Export current config XML
3. Open in a text editor and find all rules with incorrect hip-profile XML tags, delete hip-profile XML tags as pictured below
 
<hip-profiles>
   <member>any</member>
</hip-profiles>
 
4. Save the XML config file, re-import to the firewall and try to commit.

L0 Member

 I upgraded to 10.1.5-h1 and got the error hip-profile unexpected here.  Support said its related to PAN-189221.

At this time the workaround is accomplished by:
1. going to the cli
2. Entering configure mode
> configure
#
3. running the following command
# load config from running-config.xml
4. and running a commit force
# commit force
This is so that it will discard all "hip-profiles unexpected here" in security rules and you can commit the change.

I completed these steps on Panorama and it removed the hip-profiles

L1 Bithead

Same exact issue here, will try the steps noted

  • 2 accepted solutions
  • 22589 Views
  • 24 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!