12-13-2020 08:43 AM
Hello all,
i have problems with the security policy push.
When i try to push them the commits fails with :
it happens with all shared addresses and address-groups. when i remove them, i mean when i push the polices without source/destination address configured, the commit is completed.
12-22-2020 12:53 AM
Hello,
updating panorama to 9.1.6 and Restart configd daemon fixed the issue .
Thank you all
12-13-2020 10:39 AM
Hi,
As per below logs I can assume that IP address /subnets were not properly defined or binded or might be wrong IPs
Best Regards,
Suresh
12-13-2020 11:01 AM - edited 12-13-2020 11:01 AM
if it was just one address ok , but there is 1000+ records.
They used to worked before.
12-13-2020 12:06 PM
Did it all of a sudden stop working or is this a new implementation or upgrade?
One thing to look for is that on the local firewall Panorama is allowed to push Objects:
As you're stating a blank push of a firewall policy without objects is working I believe this is enabled.
Make sure the Object or Object-Group you're trying to push out isn't bound to a certain firewall but is in the "Shared" object space or Object specifically for that FW.
If the item is a group containing more IP's, FQDN's or Objects it never hurts to check if the actually sub-objects for errors.
12-13-2020 12:44 PM
They are all shared.
If i create new shared one and push it it is work .
12-13-2020 09:05 PM
Is the offices-subnet the only object that you are having an issue with, or is it all of your address and address-group objects? It's not entirely clear from your earlier posts, but I'm assuming that this object is an address-group made up of a bunch of different address objects representative of all of your individual offices. When the commits started to fail, have you logged at the system logs and verified that nobody added in a new range that invalidated the entry? The error in your first post would indicate that someone simply fat fingered an IP address.
12-13-2020 09:49 PM
this is only the example. It is address not address set . But the problem is with all other addresses and address-groups to
For example if i remove "offices-subnet" witch is configured as source subnet the error appear for the destination one witch is different and when i remove the destination one the error appear for the source object of the next policy, and so on and so on.
If i create new address-group or address and populate it in the policy there is no problem.
12-14-2020 12:04 PM
How were the object created initially? The way you're explaining it sounds to me like an import gone wrong where the firewall/Panorama did load the Object but something is "off" with the way it's in the running XML.
12-14-2020 12:06 PM
Another quick thought would be a Panorama running a newer version and using features that are not supported on the firewall you're pushing it to.
12-14-2020 01:38 PM
I import them via cli.
They used to work
12-22-2020 12:53 AM
Hello,
updating panorama to 9.1.6 and Restart configd daemon fixed the issue .
Thank you all
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
