Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Panorama not pushing network template changes to devices

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Panorama not pushing network template changes to devices

L1 Bithead

Hello,

 

I am very new to Palo Alto FWS so please be gentle 🙂 

 

I have been asked to setup two new PA3060 firewalls to be centrally managed by a Panorama server.  Both the Panorama and Firewalls are running v8.0.5.

 

I have successfully followed the PA instructions to import the firewalls and configs into the Panorama.

 

However, if I create say a new interface, new sub-interface or new static routes into the virtual router, I commit the changes to the Panorama an then attempt a push to device.

 

The Commit shows as Completed, however when I access the device GUI, the new interfaces and static routes are not populated in the config of the device.

 

Any and all help is appreciated.

 

Thanks & Regards

 

Grant

7 REPLIES 7

L3 Networker

Hi,

 

Have u configured them in the device group.

 

Thanks

Yes, the devices are already in a device group.

Are you getting an error? Or does Panorama give you a completed status message? If the push goes through without error but you aren't seeing the changes, make sure the device isn't overriding Panorama. That will be indicated by a green and yellow gear icon. When it's taking Panorama's settings, the firewall will show you a green gear icon. You'll need to login to the device (firewall) via the WebGUI to check this. 

Hello,

 

A check of the Web GUI of the devices shows a green gear icon for those sections affected, namely interfaces, sub-interface and static routes in a non-default VR.

 

The Push to Device from the Panorama to the devices is not predictable.  For example, when setting up a log forwarding profile the commit to the devices fails to both devices.  This failed with an error as follows:

  • Details:
  • . Validation Error:
  • . log-settings -> profiles -> syslog -> match-list -> ABC_RTW_LFP_Traffic -> send-syslog 'abc_panorama_syslog_rtw' is not a valid reference
  • . log-settings -> profiles -> syslog -> match-list -> ABC_RTW_LFP_Traffic -> send-syslog is invalid
  • . Commit failed
  •  
  • Warnings:

    The Panorama Managed Devices view at this point shows the shared policy template as in-sync but the Template out-of sync. 

    Another more common error is that we create a brand new sub-interface in Panorama, that most definately does not exist on the device, along with an IPv4 address, a new zone and a static route or two.  The commit to Panorama is successful but the commit to device fails to only one device this time, namely the passive device in the cluster.

A check of the devices shows config has been pushed.  The error in this case is as follows:

To ABCFWDRTW1 device

 

  • Details:
  • . Configuration committed successfully
  •  
  • Warnings:

 

To ABCFWDRTW2

  • Details:
  • . Validation Error:
  • . network -> interface -> ethernet -> ethernet1/4 -> layer3 -> units -> ethernet1/4.180 -> ip -> 10.215.227.254_26 10.215.227.254_26 is an invalid ipv4/v6 address
  • . network -> interface -> ethernet -> ethernet1/4 -> layer3 -> units -> ethernet1/4.180 -> ip -> 10.215.227.254_26 '10.215.227.254_26' is invalid. Invalid IPv4 address
  • . network -> interface -> ethernet -> ethernet1/4 -> layer3 -> units -> ethernet1/4.180 -> ip is invalid
  • . invalid interface address 10.215.227.254_26(Module: routed)
  • . Commit failed
  •  
  • Warnings:

Any thoughts, suggestions are appreciated. 

 

Regards

Did you find a solution to this problem?

 

Appreciate it if you can share! 

 

Regards, 

Layale

L1 Bithead

The first time prior to define in Panorama new Template objects you must push the Template from Panorama to the devices with the flag "Force Template values" on (In Edit Selections)

If you don´t do this the first time, all the Template (Network and Device) definitions in the device are marked as "Override" and then the prefered values in the push are the device values.

Values on Override state : PREFERENCE DEVICE VALUES

override.jpg

 

Values on No-Override State: panorama values

 

NO_OVERRIDE.jpg

 

Once you have values on No-Override State you must configure only from Panorama and Panorama values will be /the values on tehe device.

yes the devices are configured in the correct device group

  • 15863 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!