I was currently running 4.0.5 on panorama and HA active passive 2050 cluster.
The upgrade ran rather smoothly.
has something changed for service declaration in 4.1?
I define my addresses and custom services on the panorama which I sync to the HA cluster members after committing on the panorama.
My policies are defined on the first cluster member which are automatically HA-synced to the second member of the cluster.
I now wanted to add a a new service, so I did as always and created a new service declaration on panorama and committed it.
After that operation a cluster showed out of sync as it always does after comitting on the panorama.
When I now click on commit all for the cluster members in panorama I get a error message:
rulebase -> security -> rules -> External Web access -> service 'sp_8080' is not an allowed keyword.
When I remove this service from this policy I get the same error but in the next policy rule which also contains a custom service.
Commiting on the device also works.
What can I do?
I did some more testing.
I removed all custom services from my policies (luckily the firewall is still in setup phase)
after that I got the same problem with the certificate of the captive portal and Web gui certificate. So I also delted those and now I can finally "commit all" to the devices from panorama.
But as soon as I add a custom service defined on the panorama to a policy I get the error as mentioned above.
I can also commit when i create the service in the device context and add it to a Rule.
So do I need to recreate all my services on the device context now and use those?
Strangely I have no Problem with my addresses in the rules which I also created in the panorama context.
I must have done something wrong yesterday, because today I noted that it doesn't work..
Still get the mesage when commiting to "managed devices.
vsys -> vsys1 -> rulebase -> security -> rules -> External Web access -> service 'test' is not an allowed keyword
vsys -> vsys1 -> rulebase -> security -> rules -> External Web access -> service 'test' is not a valid reference
I think I solved the problem.
I noted a problem while creating new tunnel interfaces, those interfaces where grey while pre update created interfaces where green.
I then noted that only the new interfaces had vsys1 next to them.
So I activated the virtual system feature on the devices. After this I had the reassign security zones and vsys to all interfaces.
I also had to maunally remove global protect entries from the config xml as I could not get the error message away via the web gui.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!