Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
12-21-2016 01:30 AM
Hello all,
we are running into an issue where we are unable to change static address object groups to dynamic address object groups
We have an M500 and several PA7050 and the objects are managed under the "shared" device group for all the PA7050's. We have added tags etc. to the address objects and on the panorama they show up with their dynamic members, all looks fine here.
But when we push the configuration to the firewalls, the address object group will be switched from type static to type dynamic without any members, therefore the policy for these addresses will no longer match --> Global Deny.
Is this a known behavior or general limitation that a switch from static to dynamic is not possible? Since the support from the distributor had no clue either I thought to ask you guys 🙂
Best regards,
Thomas
12-21-2016 09:20 AM
Hi @thomas.busse,
Have you tried to manuall request a sync of dynamic address object information via Panorama (Panorama tab > VMware Service Manager > Synchronize Dynamic Objects).
Also, in the configd.log (with mgmtsrvr set to debug), verify if the Panorama is sending the updates to the firewalls.
Run the following show command on the firewall to verify if it worked :
> show object registered-ip all
Hope this helps,
Cheers !
-Kim.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
