This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Panorama shared object rename bug?

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Panorama shared object rename bug?

mb_equate
L3 Networker

‎09-07-2020 01:39 AM

Panorama 9.1.4. I'm sure this is a bug...

 

When a shared and device-group specific object with the same name exist, renaming the shared object updates references in the child device-group resulting in those objects (policies, profiles, address-groups, whatever) inheriting the shared object value instead of the DG-specific one. This should not happen - only references to the shared object should change.

Example:
Shared object: foo (1.1.1.1)
DG1 object: foo (2.2.2.2)

DG1 object: bar (3.3.3.3)
DG1 rule: foo (2.2.2.2) -> bar (3.3.3.3)

Renaming shared object "foo" to "foo-a" will result in the following:

DG1 rule: foo-a (1.1.1.1) -> bar (3.3.3.3)

 

If you rename the shared object to something else that exists in a child DG e.g. "bar":

 

DG1 rule: bar (3.3.3.3) -> bar (3.3.3.3)

Same applies to other object references - custom URL cats in URLF profiles, addresses in groups, profiles in profile groups etc.

The reason this should not happen is that any device-group specific object, if overriding a shared object, is there for a reason. No edits to the shared object should modify the child references IF an object with the same name exists in the child group.

0 Likes Likes
2 REPLIES 2

kiwi
Community Team Member

‎09-10-2020 03:54 AM

Hi @mb_equate ,

 

I haven't had the opportunity to test it myself but it sounds indeed buggy.

Have you reported this to TAC to have this confirmed ?

 

Cheers,

-Kiwi.

 

 
LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.
0 Likes Likes

mb_equate
L3 Networker
In response to kiwi

‎09-10-2020 04:34 PM

TAC just pointed me to an article on how to override an ancestor object value in a child DG so I've asked them to replicate 🙂

 

It's a valid use case especially when importing multiple devices and those with objects in a vsys - for a customer with lots of firewalls you're bound to run into this issue.

 

Assuming you're in NZ, say hi to Mum for me!

0 Likes Likes
  • 2755 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks