This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Panorama not pushing network template changes to devices

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Panorama not pushing network template changes to devices

gc227s
L1 Bithead

‎11-09-2017 12:48 PM

Hello,

 

I am very new to Palo Alto FWS so please be gentle 🙂 

 

I have been asked to setup two new PA3060 firewalls to be centrally managed by a Panorama server.  Both the Panorama and Firewalls are running v8.0.5.

 

I have successfully followed the PA instructions to import the firewalls and configs into the Panorama.

 

However, if I create say a new interface, new sub-interface or new static routes into the virtual router, I commit the changes to the Panorama an then attempt a push to device.

 

The Commit shows as Completed, however when I access the device GUI, the new interfaces and static routes are not populated in the config of the device.

 

Any and all help is appreciated.

 

Thanks & Regards

 

Grant

3 people had this problem.
0 Likes Likes
7 REPLIES 7

mahmoodm
L3 Networker

‎11-10-2017 11:21 AM

Hi,

 

Have u configured them in the device group.

 

Thanks

0 Likes Likes

gc227s
L1 Bithead
In response to mahmoodm

‎11-17-2017 12:19 AM

Yes, the devices are already in a device group.

0 Likes Likes

daghastly1
L0 Member
In response to gc227s

‎11-20-2017 11:37 AM

Are you getting an error? Or does Panorama give you a completed status message? If the push goes through without error but you aren't seeing the changes, make sure the device isn't overriding Panorama. That will be indicated by a green and yellow gear icon. When it's taking Panorama's settings, the firewall will show you a green gear icon. You'll need to login to the device (firewall) via the WebGUI to check this. 

0 Likes Likes

gc227s
L1 Bithead
In response to daghastly1

‎11-20-2017 12:21 PM

Hello,

 

A check of the Web GUI of the devices shows a green gear icon for those sections affected, namely interfaces, sub-interface and static routes in a non-default VR.

 

The Push to Device from the Panorama to the devices is not predictable.  For example, when setting up a log forwarding profile the commit to the devices fails to both devices.  This failed with an error as follows:

  • Details:
  • . Validation Error:
  • . log-settings -> profiles -> syslog -> match-list -> ABC_RTW_LFP_Traffic -> send-syslog 'abc_panorama_syslog_rtw' is not a valid reference
  • . log-settings -> profiles -> syslog -> match-list -> ABC_RTW_LFP_Traffic -> send-syslog is invalid
  • . Commit failed
  •  
  • Warnings:

    The Panorama Managed Devices view at this point shows the shared policy template as in-sync but the Template out-of sync. 

    Another more common error is that we create a brand new sub-interface in Panorama, that most definately does not exist on the device, along with an IPv4 address, a new zone and a static route or two.  The commit to Panorama is successful but the commit to device fails to only one device this time, namely the passive device in the cluster.

A check of the devices shows config has been pushed.  The error in this case is as follows:

To ABCFWDRTW1 device

 

  • Details:
  • . Configuration committed successfully
  •  
  • Warnings:

 

To ABCFWDRTW2

  • Details:
  • . Validation Error:
  • . network -> interface -> ethernet -> ethernet1/4 -> layer3 -> units -> ethernet1/4.180 -> ip -> 10.215.227.254_26 10.215.227.254_26 is an invalid ipv4/v6 address
  • . network -> interface -> ethernet -> ethernet1/4 -> layer3 -> units -> ethernet1/4.180 -> ip -> 10.215.227.254_26 '10.215.227.254_26' is invalid. Invalid IPv4 address
  • . network -> interface -> ethernet -> ethernet1/4 -> layer3 -> units -> ethernet1/4.180 -> ip is invalid
  • . invalid interface address 10.215.227.254_26(Module: routed)
  • . Commit failed
  •  
  • Warnings:

Any thoughts, suggestions are appreciated. 

 

Regards

0 Likes Likes

Layale
L0 Member
In response to gc227s

‎02-07-2018 10:42 AM

Did you find a solution to this problem?

 

Appreciate it if you can share! 

 

Regards, 

Layale

0 Likes Likes

Pepen
L1 Bithead

‎11-20-2018 01:41 AM

The first time prior to define in Panorama new Template objects you must push the Template from Panorama to the devices with the flag "Force Template values" on (In Edit Selections)

If you don´t do this the first time, all the Template (Network and Device) definitions in the device are marked as "Override" and then the prefered values in the push are the device values.

Values on Override state : PREFERENCE DEVICE VALUES

override.jpg

 

Values on No-Override State: panorama values

 

NO_OVERRIDE.jpg

 

Once you have values on No-Override State you must configure only from Panorama and Panorama values will be /the values on tehe device.

0 Likes Likes

John_Bell
L0 Member
In response to mahmoodm

‎03-18-2020 09:22 AM

yes the devices are configured in the correct device group

0 Likes Likes
  • 16070 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks