Region making autocommit fail

Showing results for 
Search instead for 
Did you mean: 

Region making autocommit fail

L4 Transporter

Does anyone know of a issue with configuring regions in security policies causing the autocommit to fail?


Cyber Elite
Cyber Elite


Happens alot depending on what you are modifying in the regions; generally throws a parsing issue. The default-regions entries are hidden and they can get weird when you start adding custom regions. Generally running 'debug device-server reset id-manager type vsys-region' will cause the issue to resolve itself. 



I was asked by TAC if i was using regions and I have been for some time and it never caused an issue upgrading before so i was just curious if anyone else had seen this issue.  

've seen one instance where the region object was not created properly and a region was added directly into a security policy instead of through an object, which then caused an issue after the upgrade.


this was fixed by properly creating the region object and adding that to the security policy

Tom Piens
Like my answer? check out my book!



I have had regions configured for sometime and it has never been an issue before but TAC thinks it might be a possiblity. 

@reaper @BPry


Well how about that it was an issue with one of the region settings that caused the autcommit to fail


When you bring up autocommit failures I almost always start looking at the regions, and to a lesser extent the security policies in general to verify everything carried over correctly. It's easier if you are looking directly at the XML file, easier yet if you generate a tech-support file and take a look at the mergesp.xml file that actually includes the default stuff you usually don't see if you just take a look at the running-config.xml 



what is it in the configuration that tells that it is a custom region and not a builit in one?

Easy, the running-config.xml isn't going to have anything but your custom regions. It doesn't actually display any of the built-in regions. Same on the GUI, you'll only have the custom regions shown under objects, not the defaults. 

There really isn't a great easy way to see both the custom and the built-in on the same config file unless you dig through the Technical Support file and go into the mergesp.xml file. Everything that is built by you as a custom region will be where you would expect to see it in the running-config; however this file also includes everything that's been predefined by Palo Alto, including the regions. 



I can tell that there is a custom region because I can see one under object/regions but I can't tell the custom ones from the built-in one on the security policies. usregion.PNG

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!