08-21-2017 08:20 AM - edited 08-21-2017 08:22 AM
Palo version:
vm-license: VM-100 vm-mode: VMWare ESXi sw-version: 8.0.4
I am trying to do a partial commit after a change on policy rules.
The following commands usually work. But for some reason, I ended in a state where partial commit/validate is not allowed:
admin@CST-OCBFW-INT01(active)# validate partial device-and-network excluded Server error : Partial validate is not allowed. Full commit must be completed. [edit] admin@CST-OCBFW-INT01(active)# commit partial device-and-network excluded Server error : Partial commit is not allowed. Full commit must be completed. [edit]
The candidate config only has changes on security/rules which is part of the "policy-and-objects" config AFAIK.
What can be the cause of this state?
Can it be fixed so that I can issue a partial commit and avoid doing a seemingly useless full commit? Or does it mandatorily requires a full commit?
08-21-2017 10:01 AM
Generally this would only appear if a security policy references something that falls within the device-and-network, as you are attempting to exclude that it wouldn't be able to validate or commit the config.
1) Verify nothing you have configured actually relies on anything within the device-and-network config
2) Something got loopy and you just need to do an actual full commit instead of a partial.
08-21-2017 10:01 AM
Generally this would only appear if a security policy references something that falls within the device-and-network, as you are attempting to exclude that it wouldn't be able to validate or commit the config.
1) Verify nothing you have configured actually relies on anything within the device-and-network config
2) Something got loopy and you just need to do an actual full commit instead of a partial.
08-21-2017 10:23 AM
Or another admin changed something?
But I also think it's @BPrys possibility 2 (if you didn't create an EDL reachable over https, so that it requires a certificate profile; or a new log forwarding profile and you created the required serverprofile at the same time; and probably more possibilities ...)
08-22-2017 03:00 AM
Thanx for your help!
I don't exactly remember what I did to reach this state, but I checked that only security/rules were changed in the GUI "commit/preview changes" and in the CLI:
root@cst-ocbvpn-int01:/# diff -u <(panxapi.py -xrs) <(panxapi.py -Xro 'show config candidate')
show: success
op: success
--- /dev/fd/63 2017-08-21 14:38:12.174880000 +0000
+++ /dev/fd/62 2017-08-21 14:38:12.174880000 +0000
@@ -1759,89 +1759,109 @@
<security>
<rules>
<entry name="tpl_deny_paloappdefault">
+ <action>deny</action>
+ <application>
+ <member>any</member>
...
+ </destination>
+ <rule-type>interzone</rule-type>
</entry>
</rules>
</security>
So in the current state, I only have changes in "policy-and-objects".
Of course many of those policy changes "point" to device-and-config "objects" (log-forwarding, services, etc), but there are no changes in device-and-config in the diff.
Maybe I did some changes on device-and-config that made the Palo "flag" the next commit has needing to be full, and then reverted those changes prior to the commit.
Anyway, I'll try and reproduce and better track what were my actions.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
