Panorama commit succeeds with warning after firewall config import

Reply
Highlighted
L3 Networker

Panorama commit succeeds with warning after firewall config import

Hello Community,
Recently I did my first configuration import a firewall into Panorama.  Everything works as expected, but when I do a device group commit, I get the following message in panorama: 

 

Details
Configuration committed successfully

Warnings
vsys1
(Module: device)
 

When I take a look at the firewall, it says the commit was successful.  In managed devices in Panorama, last commit state is "commit succeeded with warnings".  Any idea what I need to change in the Panorama config to make this warning go away?  Both Panorama and firewall are running PAN-OS 7.0.11.

Commits to firewalls with their configuration originally built in Panorama do not experience the issue.

Thanks for any help!

Highlighted
L7 Applicator

Re: Panorama commit succeeds with warning after firewall config import

Hi Dan

 

is there additional information on Panorama when you click on "commit succeeded with warnings". ?

reaper - PANgurus.com
I drink and I know things
Highlighted
L3 Networker

Re: Panorama commit succeeds with warning after firewall config import

This is the detail I get from Panorama:


Details
Configuration committed successfully

Warnings
vsys1
(Module: device)


If I log into the firewall and look at the commit status, I see this:


Details
Configuration committed successfully

There seems to be a reference to vsys1 in the config that Panorama isn't expecting.

Highlighted
L3 Networker

Re: Panorama commit succeeds with warning after firewall config import

panorama-screen-1.jpg

Here's a screen shot of the details in Panorama.  I don't have a screenshot from the firewalls themselves, but it just says the configuration committed successfully.

 

The other unique thing about this firewall import is it was for an HA A/P pair.  All the other devices are single firewalls.  Getting the commit with warnings on the active and the passive firewall.  Could the imported HA configuration be causing an issue?  I do have link and path monitoring configured in Panorama that's being pushed to the firewalls.  

 

panorama-screen-2.jpgpanorama-screen-3.jpg

Highlighted
L3 Networker

Re: Panorama commit succeeds with warning after firewall config import

I have another firewall that was imported exhibiting the same behavior, and it isn't running in HA.  Any thoughts on this one?

Highlighted
L4 Transporter

Re: Panorama commit succeeds with warning after firewall config import

Do you have multiple vsys in Panorama and the target firewalls? Do you see something unusual there?

Highlighted
L3 Networker

Re: Panorama commit succeeds with warning after firewall config import

So sorry for the late reply, but the issue is still occurring and I'm seeing it on more firewalls I've imported.  Multi-VSYS is not enabled in Panorama or on the firewalls, so I'm not seeing anything out of the ordinary there.

Highlighted
L4 Transporter

Re: Panorama commit succeeds with warning after firewall config import

Hi @dan731028

I faced this problem a few times in the past, and in my particular case it was associated with the certificate chain I was using for GlobalProtect.

For example: If I only upload the certificate but not the Root and Intermediate certificate, Panorama returns this error although it does not actually indicate that it is the issue.

So, I wanted to ask if you have uploaded any certificates to Panorama or to one of your templates, that do not have the root or intermediate certs chained.

 

Willian

Highlighted
L3 Networker

Re: Panorama commit succeeds with warning after firewall config import

Hi @Willian

I do have a certificate chain for GlobalProtect as we're using a wildcard certificate for that, and the two that are presenting the error do have the certificate chain installed.  I'm not getting any error messages when I commit on the firewalls themselves that the certificate chain is incorrect or anything and the certificates are nested as expected in Panorama and the firewalls in Device>Certificates.  I've double-checked the chain and I do have the correct ones installed.  Would it be worth removing and re-adding the chain?

Highlighted
L4 Transporter

Re: Panorama commit succeeds with warning after firewall config import

@dan731028

I would say so. Try to remove the entire chain and re-adding it.

In my experience, this was the only thing that caused this type of error to occur. 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!