Problem with Panorama pushed updates

cancel
Showing results for 
Search instead for 
Did you mean: 

Problem with Panorama pushed updates

L2 Linker

Hello all,

 

i have problems with the security policy push.

When i try to push them the commits fails with :

 

  • . Validation Error:
  • . rulebase -> security -> rules -> ms-ad -> destination 'offices-subnet' is not an allowed keyword
  • . rulebase -> security -> rules -> ms-ad -> destination offices-subnet is an invalid ipv4/v6 address
  • . rulebase -> security -> rules -> ms-ad -> destination offices-subnet invalid range start IP
  • . rulebase -> security -> rules -> ms-ad -> destination 'offices-subnet' is not a valid reference
  • . rulebase -> security -> rules -> ms-ad -> destination is invalid
  • . vsys1
  • . Error: Failed to find address 'offices-subnet'
  • . Error: Unknown address 'offices-subnet'
  • . Error: Failed to parse security policy
  • . (Module: device)
  • . Commit failed

it happens with all shared addresses and address-groups. when i remove them, i mean when i push the polices without source/destination address configured, the commit is completed.

 

 

1 ACCEPTED SOLUTION

Accepted Solutions

Hello,

 

updating panorama to 9.1.6 and Restart configd daemon fixed the issue .

Thank you all

View solution in original post

10 REPLIES 10

L2 Linker

Hi,

 

As per below logs I can assume that IP address /subnets were not properly defined or binded or might be wrong IPs

 

Best Regards,

Suresh

 

 

 

 

Sureshreddymudhireddy

if it was just one address ok , but there is 1000+ records. 

They used to worked before.  

Did it all of a sudden stop working or is this a new implementation or upgrade?

 

One thing to look for is that on the local firewall Panorama is allowed to push Objects:

BeardedTree_0-1607889655009.png

As you're stating a blank push of a firewall policy without objects is working I believe this is enabled.

Make sure the Object or Object-Group you're trying to push out isn't bound to a certain firewall but is in the "Shared" object space or Object specifically for that FW.

If the item is a group containing more IP's, FQDN's or Objects it never hurts to check if the actually sub-objects for errors.

-- In case of emergency unplug cables--

They are all shared.

If i create new shared one and push it it is work . 

Cyber Elite
Cyber Elite

@stef,

Is the offices-subnet the only object that you are having an issue with, or is it all of your address and address-group objects? It's not entirely clear from your earlier posts, but I'm assuming that this object is an address-group made up of a bunch of different address objects representative of all of your individual offices. When the commits started to fail, have you logged at the system logs and verified that nobody added in a new range that invalidated the entry? The error in your first post would indicate that someone simply fat fingered an IP address. 

@BPry 

this is only the example. It is address not address set .  But the problem is with all other addresses and address-groups to

For example if i remove "offices-subnet" witch is configured as  source subnet the error appear for the destination one witch is different and when i remove the destination one the error appear for the source object of the next policy, and so on and so on.

If i create new address-group or address and populate it in the policy there is no problem. 

How were the object created initially? The way you're explaining it sounds to me like an import gone wrong where the firewall/Panorama did load the Object but something is "off" with the way it's in the running XML.

-- In case of emergency unplug cables--

Another quick thought would be a Panorama running a newer version and using features that are not supported on the firewall you're pushing it to.

-- In case of emergency unplug cables--

I import them via cli.

They used to work

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!