Error in commit after upgrade to 10.1.5-h1

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.
Palo Alto Networks Approved
Palo Alto Networks Approved
Community Expert Verified
Community Expert Verified

Error in commit after upgrade to 10.1.5-h1

L1 Bithead

After upgrade from a PA850 from 10.1.5 to 10.1.5-h1 in the end of last week we no longer can commit new configs 😞

It gives the following error when we try to commit.

  • Validation Error:
  • rulebase -> security -> rules -> Block xxx -> hip-profiles unexpected here
  • rulebase -> security -> rules is invalid

We've reverted to running config, tried again, still the same error. We've tried to restart the management-server with the following command

 

  debug software restart process management-server

 

Without any luck, tried rebooting the whole unit, still the same result. Anyone else that has similar problem with 10.1.5-h1 OS? 

The unit is standalone, so no Panorama involved, as there is a couple of references to the errormessage coupled with panorama.

Saw some mention in that this is bug PAN-171869 that is supposed to be fixed in 10.1.5 but perhaps was reintroduced with -h1?

 

/Kaj 

24 REPLIES 24

I can confirm that the procedure described by @HaleyDignan also works in a non Panorama setting, i'e directly on the PanOS firewall

The solution works!! 

I upgraded from 10.0.8 -> 10.0.10 and ran into this issue.

Followed your steps and I would add a step 5 in is to push to device on panorama or on the device push policy 🙂

You can also view the diff after the fix. in the running config there's a hip-profile, candidate config doesn't. 

 

 

 

 

This was the solution TAC provided us and worked, the explanation was:

 

Starting with PAN-OS 10.0 we added, "destination-hip" (for quarantine feature) and corresponding "source-hip" nodes which replaced the "hip-profiles" node from 9.x and earlier releases. However, hip profiles should not be used from 10.0 and onwards. Scripts should be using source-hip instead.

This is expected behavior, as no migration scripts exist for the same version migration.

The workaround is to run 'load config from running-config.xml' and commit force.

>configure
#load config from running-config.xml
Config loaded from running-config.xml
# commit force

 

 

It worked for me....😃

 

Thank you!!  I have had multiple cases open with support.  Uploaded tech files multiple times.  They could verify the issue but no fix.  If I could only get those hours of my life back.  

It's works
Many thanks for you support 

L0 Member

I was just about to open a case about this exact issue.... thank you for saving me the grief!

PAN: Please update PANOS logic to handle this particular config upgrade automatically and gracefully.

ran this verbatim as shown above... no change 😞


paul.dinapoli@panorama.****> configure
Entering configuration mode
[edit]
# load config from running-config.xml
Config loaded from running-config.xml
# commit force

Commit job 179142 is in progress. Use Ctrl+C to return to command prompt
.15%31%85%99%.....

try to run my ansible playbook:

{"changed": false, "msg": "Failed create: *** rule_name ***  -> hip-profiles unexpected here"}

 
 
 
 



Hello @HaleyDignan 

 

I ran into the same issue and your workaround worked. 

I didn´t upgrade the firewalls yet and I was wondering 2 things:

1. Is this gonna happen also after upgrading firewalls and I´ll have to reload the configuration

2. we have authentication policies configured with HIP profiles=any. Will this change about the hip profiles impact the working authentication policies?

 

thank you in advance!!

1. Is this gonna happen also after upgrading firewalls and I´ll have to reload the configuration - Yes you will need to run the same commands on the firewall after upgrading.

2. we have authentication policies configured with HIP profiles=any. Will this change about the hip profiles impact the working authentication policies?  I am not sure. 

@paul.dinapoli Did you ever find a solution?  The "fix" didn't work for me either. 

  • 19187 Views
  • 24 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!