04-11-2022 01:21 PM
After upgrade from a PA850 from 10.1.5 to 10.1.5-h1 in the end of last week we no longer can commit new configs 😞
It gives the following error when we try to commit.
We've reverted to running config, tried again, still the same error. We've tried to restart the management-server with the following command
debug software restart process management-server
Without any luck, tried rebooting the whole unit, still the same result. Anyone else that has similar problem with 10.1.5-h1 OS?
The unit is standalone, so no Panorama involved, as there is a couple of references to the errormessage coupled with panorama.
Saw some mention in that this is bug PAN-171869 that is supposed to be fixed in 10.1.5 but perhaps was reintroduced with -h1?
/Kaj
04-12-2022 11:31 PM
@Kaj.Lehtinen I re-imported the whole rule base. Didn't have to re-name anything. I followed the below process:
04-14-2022 10:31 AM
I upgraded to 10.1.5-h1 and got the error hip-profile unexpected here. Support said its related to PAN-189221.
At this time the workaround is accomplished by:
1. going to the cli
2. Entering configure mode
> configure
#
3. running the following command
# load config from running-config.xml
4. and running a commit force
# commit force
This is so that it will discard all "hip-profiles unexpected here" in security rules and you can commit the change.
I completed these steps on Panorama and it removed the hip-profiles
04-11-2022 02:04 PM
Usually this issue post an upgrade is simply a bad configuration migration during the upgrade process. If you export the configuration in XML format at look at the reference entry, do you notice anything out of place? If you temporarily remove the specified rule are you able to pass validation and commit and then just add the rule back in? Have you tried simply opening the rule in the GUI and clicking on "Ok" to let the firewall rebuild that entry and see if the configuration validates successfully?
04-11-2022 02:04 PM
I've seen this error in a 10.1->9.1 downgrade process.
I had to delete the values in the 10.1 policy, commit, and recreate them in 9.1.
Quick question, you wouldn't happen to have any destination HIP profiles configured, would you? In 10.0+ that's typically used for quarantine features, and have seen errors as a result in 10.0+ environments.
04-11-2022 02:09 PM - edited 04-11-2022 10:33 PM
Hi!
Good suggestions - I have tried deleting the security rule in question and commit, didnt help, it just started to complain about the next rule. Reverted back and its still there.
Just tried your suggestion on pressing OK in the rule and I get a error on that operation, it says "Operation failed - Block xxx -> hip-profiles unexpected here' so it wont let me edit the rule even.
Is there a way to only export the security rules? When looking at them in the CLI i notice that a lot of them has 'hip-profiles any' defined and that I saw in a other threat shouldnt be there ... but since the firewall dont support them beeing there then it doesnt have a command of removing them either .... 😞
04-11-2022 02:14 PM
As far as I know we don't have any HIP profiles at all in use, isnt HIP profiles something related to GlobalProtect client? Not using GlobalProtect and when checking in GUI under Objects, GlobalProtect its empty in both HIP Objects and HIP Profiles.
04-11-2022 02:34 PM
You could do a few things. The hardest way would be device tab, operations, export config, opening that in a text editor and removing the hip references, saving, uploading, run that edited config.
A much easier way might be a purpose built tool like PAN-OS PHP. I also added myself as a watcher for that JIRA issue referenced, if there are updates I will add them here.
04-11-2022 07:12 PM
@Kaj.Lehtinen @BPry @LAYER_8 I am seeing the same issue after upgrading to 10.1.5-h1 on 4 firewalls. XML looks to OK. Nothing suspicious when examining the pre and post upgrade XML files. Tried everything above and still doesn't commit.
04-12-2022 02:47 AM - edited 04-12-2022 10:46 PM
@Ben-Price Check in the XML file for the rules that you has a line in each rule that says "hip-profiles any", thats the culprit as I understand it.... I'e it should be removed.
04-12-2022 05:24 PM - edited 04-12-2022 05:24 PM
@Kaj.Lehtinen So I need to add the below XML to each rule or remove?
<hip-profiles>
<member>any</member>
</hip-profiles>
<action>deny</action>
<log-setting>Log Forwarding Profile</log-setting>
<tag>
<member>Inbound</member>
</tag>
<source-hip>
<member>any</member>
</source-hip>
<destination-hip>
<member>any</member>
</destination-hip>
</entry>
Pre and post upgrade XML files look to the same, as far as I can see.
04-12-2022 10:45 PM
Sorry,
It should be the other way around the lines should not be there in any rules when running standalone firewall without panorama, I'll edit my response above so other in the future doesnt get tricked. NOTE I have yet to test the fix myself, but will report back as soon as I have.
04-12-2022 10:50 PM - edited 04-12-2022 10:52 PM
@Kaj.Lehtinen Thanks for the update. I just tried this 5 minutes ago and can confirm removing the below from the firewall config XML fixed the issue.
<hip-profiles>
<member>any</member>
</hip-profiles>
04-12-2022 11:25 PM
@Ben-Price Did you reimport just the affected rules or the whole rulebase? Where you forced to rename the rules that you modified or can it import over existing rules?
/Kaj
04-12-2022 11:31 PM
@Kaj.Lehtinen I re-imported the whole rule base. Didn't have to re-name anything. I followed the below process:
04-14-2022 10:31 AM
I upgraded to 10.1.5-h1 and got the error hip-profile unexpected here. Support said its related to PAN-189221.
At this time the workaround is accomplished by:
1. going to the cli
2. Entering configure mode
> configure
#
3. running the following command
# load config from running-config.xml
4. and running a commit force
# commit force
This is so that it will discard all "hip-profiles unexpected here" in security rules and you can commit the change.
I completed these steps on Panorama and it removed the hip-profiles
04-15-2022 01:20 PM - edited 04-15-2022 01:30 PM
Same exact issue here, will try the steps noted
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
