i have problems with the security policy push.
When i try to push them the commits fails with :
it happens with all shared addresses and address-groups. when i remove them, i mean when i push the polices without source/destination address configured, the commit is completed.
Solved! Go to Solution.
Did it all of a sudden stop working or is this a new implementation or upgrade?
One thing to look for is that on the local firewall Panorama is allowed to push Objects:
As you're stating a blank push of a firewall policy without objects is working I believe this is enabled.
Make sure the Object or Object-Group you're trying to push out isn't bound to a certain firewall but is in the "Shared" object space or Object specifically for that FW.
If the item is a group containing more IP's, FQDN's or Objects it never hurts to check if the actually sub-objects for errors.
Is the offices-subnet the only object that you are having an issue with, or is it all of your address and address-group objects? It's not entirely clear from your earlier posts, but I'm assuming that this object is an address-group made up of a bunch of different address objects representative of all of your individual offices. When the commits started to fail, have you logged at the system logs and verified that nobody added in a new range that invalidated the entry? The error in your first post would indicate that someone simply fat fingered an IP address.
this is only the example. It is address not address set . But the problem is with all other addresses and address-groups to
For example if i remove "offices-subnet" witch is configured as source subnet the error appear for the destination one witch is different and when i remove the destination one the error appear for the source object of the next policy, and so on and so on.
If i create new address-group or address and populate it in the policy there is no problem.
How were the object created initially? The way you're explaining it sounds to me like an import gone wrong where the firewall/Panorama did load the Object but something is "off" with the way it's in the running XML.
Another quick thought would be a Panorama running a newer version and using features that are not supported on the firewall you're pushing it to.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!