01-13-2017 10:26 AM
Hello Community,
Recently I did my first configuration import a firewall into Panorama. Everything works as expected, but when I do a device group commit, I get the following message in panorama:
When I take a look at the firewall, it says the commit was successful. In managed devices in Panorama, last commit state is "commit succeeded with warnings". Any idea what I need to change in the Panorama config to make this warning go away? Both Panorama and firewall are running PAN-OS 7.0.11.
Commits to firewalls with their configuration originally built in Panorama do not experience the issue.
Thanks for any help!
01-17-2017 07:28 PM
This is the detail I get from Panorama:
Details
Configuration committed successfully
Warnings
vsys1
(Module: device)
If I log into the firewall and look at the commit status, I see this:
Details
Configuration committed successfully
There seems to be a reference to vsys1 in the config that Panorama isn't expecting.
01-17-2017 07:48 PM
Here's a screen shot of the details in Panorama. I don't have a screenshot from the firewalls themselves, but it just says the configuration committed successfully.
The other unique thing about this firewall import is it was for an HA A/P pair. All the other devices are single firewalls. Getting the commit with warnings on the active and the passive firewall. Could the imported HA configuration be causing an issue? I do have link and path monitoring configured in Panorama that's being pushed to the firewalls.
02-06-2017 06:05 PM
I have another firewall that was imported exhibiting the same behavior, and it isn't running in HA. Any thoughts on this one?
02-06-2017 08:43 PM
Do you have multiple vsys in Panorama and the target firewalls? Do you see something unusual there?
06-12-2017 07:19 AM
So sorry for the late reply, but the issue is still occurring and I'm seeing it on more firewalls I've imported. Multi-VSYS is not enabled in Panorama or on the firewalls, so I'm not seeing anything out of the ordinary there.
06-12-2017 07:41 AM
Hi @dan731028
I faced this problem a few times in the past, and in my particular case it was associated with the certificate chain I was using for GlobalProtect.
For example: If I only upload the certificate but not the Root and Intermediate certificate, Panorama returns this error although it does not actually indicate that it is the issue.
So, I wanted to ask if you have uploaded any certificates to Panorama or to one of your templates, that do not have the root or intermediate certs chained.
Willian
06-12-2017 08:50 AM
Hi @acc6d0b3610eec313831f7900fdbd235
I do have a certificate chain for GlobalProtect as we're using a wildcard certificate for that, and the two that are presenting the error do have the certificate chain installed. I'm not getting any error messages when I commit on the firewalls themselves that the certificate chain is incorrect or anything and the certificates are nested as expected in Panorama and the firewalls in Device>Certificates. I've double-checked the chain and I do have the correct ones installed. Would it be worth removing and re-adding the chain?
06-12-2017 08:53 AM
I would say so. Try to remove the entire chain and re-adding it.
In my experience, this was the only thing that caused this type of error to occur.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
