Panorama pushed zone not applied to subinterface

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Panorama pushed zone not applied to subinterface

L4 Transporter

Its a new firewall, with 2 interfaces in AE, zone configured and pushed through panorama template.

When configuring L3 sub-interface for this AE interface, i can configure ip, vr but the security zone would not get applied to it.

Both firewall and panorama at 8.1.8

6 REPLIES 6

L0 Member

Same issue, Panorama 8.1.8 firewall is running 8.0.18

My issue was L3 Interfaces, sub-Interface and now Tunnel interface

L1 Bithead

We just had simular issue.

 

This is related to the bug that was though to be address in 8.1.7, but it resurfaced in 8.1.8.

 

Here is support's response.

 

"...

 

As discussed, it looks like a bug in JIRA (PAN-118603 duplicated with PAN-119175) in PAN-OS 8.1.8 where Partial local commit on Panorama is not applying changes to shared address groups. In this case we tested and this bug also applied to the security zone in network tab.

Workaround is do a "Commit All Changes" to the panorama and then push to devices.

Note: The report showed the issue is not visible in PAN-OS 8.1.7, but issue is visible in PAN-OS 8.1.8.

Our engineering team is still working on the fix for that issue.
It may get fixed in PAN-OS 8.1.9.

 

..."


@Neil_Xu wrote:

Workaround is do a "Commit All Changes" to the panorama and then push to devices.


@Neil_Xu does this workaround work for you? In my situation is wasn't working. I don't evdn know if my problem is related to this one. I started with creating a zone. After that I applied it to a new L3 subinterface and tried to push the config to the firewall. The new L3 subinterface was created on the firewall but without the zone applied. After some desperate tries I created another zone in panorama, applied it to the interface and pushed the configurarion. This time the zone was also applied to the interface. The previous existing zone which still is configured in panorama was still not pushed to the firewall. Next try was that I again applied the first zone to the interface, deleted the second one and then renamed the initial zone to the name of the second zone. Again the zone was pushed to the firewall. After renaming the zone again to the inital name and another config push the zone disapeared again ... very strange behaviour ...

@Remo Yes, this workaround worked for me, but not ideal and Palo is working on resolving this issue.

 

I'm sure you know and have done these, but this is the step-by-step:

 

1 - Make sure that at the local firewall level that the zone and interfaces are inherent to that of Panorama's configuration. 

2 - Execute "Commit All Changes" on the panorama, then "Push" it to the local firewall.

3 - Refresh the page (F5) for the local firewall web interface. 

 

I'd say if this still doesn't work for you, then you may have a separate issue that support need to be involved.  The good thing is that support already have (or know) simuilar issues and they can perform a debug to follow the logs on the firewall to your sepicific issue.

 

Hope this helps some... 

 

 

Having same problem in Panorama 9.0.3-H3 and PA-5260 with 9.0.3-H3.  Looks like doing the workaround (full commit and push) didn't work for me either

  • 11252 Views
  • 6 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!