Region making autocommit fail

@BPry

I was asked by TAC if i was using regions and I have been for some time and it never caused an issue upgrading before so i was just curious if anyone else had seen this issue.  

've seen one instance where the region object was not created properly and a region was added directly into a security policy instead of through an object, which then caused an issue after the upgrade.

this was fixed by properly creating the region object and adding that to the security policy

@reaper

I have had regions configured for sometime and it has never been an issue before but TAC thinks it might be a possiblity. 

@reaper @BPry

Well how about that it was an issue with one of the region settings that caused the autcommit to fail

@jdprovine,

When you bring up autocommit failures I almost always start looking at the regions, and to a lesser extent the security policies in general to verify everything carried over correctly. It's easier if you are looking directly at the XML file, easier yet if you generate a tech-support file and take a look at the mergesp.xml file that actually includes the default stuff you usually don't see if you just take a look at the running-config.xml 

@BPry

what is it in the configuration that tells that it is a custom region and not a builit in one?

Easy, the running-config.xml isn't going to have anything but your custom regions. It doesn't actually display any of the built-in regions. Same on the GUI, you'll only have the custom regions shown under objects, not the defaults. 

There really isn't a great easy way to see both the custom and the built-in on the same config file unless you dig through the Technical Support file and go into the mergesp.xml file. Everything that is built by you as a custom region will be where you would expect to see it in the running-config; however this file also includes everything that's been predefined by Palo Alto, including the regions. 

@BPry

I can tell that there is a custom region because I can see one under object/regions but I can't tell the custom ones from the built-in one on the security policies. 

@jdprovine,

Are you trying to get rid of it or something? That's the issue when you step on built-in groups, there really isn't a way of specifying the "US" that you made or the "US" that is included by default. If this is a group that you are actually looking to maintain I would change it to something like "US-Custom" or "US-Specified" or something like that; get it away from matching the predefined entry and you shouldn't ever experiance the issue again. 

@BPry

I am trying to make sure we don't repeat the same issue we had before where someone accidentally created Brazil as a custom region, deleted it and the rule associated with it,then later created a new rule with the region Brazil back in it again.  That what is causing my autocommit to fail.

So if I change the name of the current custom region US to US-Custom will I be able to see the built-in rule again?

@jdprovine,

Yes. The only thing to watch on this will be all of your policies that reference "US" will change to "US-Custom" and you'll need to go back and change them to the pre-defined "US" instead. Then you'll be able to remove the "US-Custom" object and everything should commit like normal. 

@BPry

I think that is what I need to do and clean it all up, then i could delete the custom US region,run the CLI command "debug device-server dump idmgr type vsys-region all" and then do my upgrade.