We manage our firewalls with Panorama. We upgraded Panorama first (to 6.0.3) and then the firewalls after. We found that the initial commit to Panorama post-upgrade to many of the firewalls failed - with Panorama complaining about tags.
Although most of our security/NAT rules are defined in Panorama; some rules were local to the firewalls. Those rules that had tags caused this issue.
Separately, on each of the two firewalls in a HA pair, I removed the tags from the local rules; removed the tag object from the new Tags page in Objects, and then hit save. I could then do a commit from Panorama (with the "merge with candidate configuration" option set).
Perhaps I could have done a force on the Panorama commit; but that sort of thing scares me 😉
What I have found is that you need to do the following when going from 5.0.9 or later versions to 6.0.x
1. If using URL filtering make sure the latest definitions are loaded.
2. Update All of your Content to the latest version
3. Download the 6.0 base image
4. Download and install 6.0.x
5. Once you are on 6.0.x you will need to re-download your URL DB if using one as there're new Country Options in 6.x PanDB
I have seen no issues yet on 6.0.3 Act/Pass or 6.0.4 Act/Act in production installations.
You may well be OK running 1.2.10 - but we just decided to go straight to 2.0.4. Many of our clients are running XP; so version 2 isn't hitting issues with this older OS.
Here's an example of the log output we were getting,
|2014-09-05 08:37:12.655 +0000 Error: pan_hip_update_report(pan_hip_handler.c:1653): ha_cfg_file_update('/opt/panlogs/global-protect/hip_report_base/250/5b1074f600c942093d84b3a26ec68199_vsys1_10.a.b.c.xml') failed: Transaction in progress|
2014-09-05 08:37:12.737 +0000 Error: ha_lib_trans_file_unique_update(ha_lib_trans_file.c:445): usr.tran.hip-report unable to update unique with transaction in progress
If you can update a test box to PANOS 6 and then you can check for these log entries with the command "less mp-log useridd.log".
If you're not getting any of these errors; you shouldn't hit the issue I did.
Oh, also seems we only suffer the issue if HA session synchronisation is enabled; we've disabled that whilst we move all users to GP 2.0.4.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!