- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
09-24-2019 07:20 AM - edited 09-24-2019 07:25 AM
We have a handful of standalone PAs that we want to import into Panorama. However in our first interation it failed with the following errors and I am not sure why. The entire process isn't made clear to me either via PA (like a lot of their stuff but I digress) so I was wondering if anyone has done this and can help point me in the right direction?
Commit/validation fails on the following items on the firewall after import/export back to it from the Panorama:
Validation Error:
log-settings -> profiles -> Forward to Panorama and Email -> match-list -> test-Alerts -> send-email 'Test Alerts' is not a valid reference
log-settings -> profiles -> Forward to Panorama and Email -> match-list -> test-Alerts -> send-email is invalid
log-settings -> profiles -> Forward to Panorama and Email -> match-list is invalid
log-settings -> profiles is invalid
log-settings is invalid
shared is invalid
rulebase -> security -> rules -> outbound-block-all -> from 'trust' is not an allowed keyword
rulebase -> security -> rules -> outbound-block-all -> from 'trust' is not a valid reference
rulebase -> security -> rules -> outbound-block-all -> from is invalid
rulebase -> security -> rules -> outbound-block-all -> to 'untrust' is not an allowed keyword
rulebase -> security -> rules -> outbound-block-all -> to 'untrust' is not a valid reference
rulebase -> security -> rules -> outbound-block-all -> to is invalid
rulebase -> security -> rules -> untrust-block-all -> from 'untrust' is not an allowed keyword
rulebase -> security -> rules -> untrust-block-all -> from 'untrust' is not a valid reference
rulebase -> security -> rules -> untrust-block-all -> from is invalid
rulebase -> security -> rules is invalid
rulebase -> security is invalid
rulebase is invalid
vsys is invalid
devices is invalid
In VSYS vsys1 from zone trust of type unknown and to zone untrust of type unknown are incompatible in security rule outbound-block-all
Configuration is invalid
2 errors when trying to do this, both of which appear to be originating from the PAN > FW.
I changed the zone names to match on the FW but not sure what to do about the log/email settings? Also not sure why its complaining about 'shared' as well.
09-24-2019 10:25 AM
Drewdown,
not sure if you fixed this already...
2 errors when trying to do this, both of which appear to be originating from the PAN > FW.
I think you may have to turn off log forwarding on the panorama
Before importing the security policies, you need to disable logging to Panorama. On the firewall, either modify your log forwarding profile to remove Panorama, or edit each security policy and set the log forwarding profile to none:
The name zone name makes a difference and should be the same.
09-24-2019 10:50 AM
I changed the zone names on the FW to all lowercase and committed it but when I did that the tunnel between that FW and our on-prem FW went down. I had to bounce the tunnel to get it passing traffic again....odd but whatever.
As far as the logging goes I am not logging anything to Panorama on the FW. Those 'Test-Alerts' are configured on the Panorama and pushed to my other managed PANs. On the FW I am trying to import logging is only set to 'Log at Session End' and Forwarding set to 'none' on every policy.
Are you are saying to disable the log settings on the 2 shared POST security policies on the PANORAMA? This stuff is so cryptic, sometimes I love PAN and other times I want to beat it like a red headed stepchild.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!