01-21-2022 10:01 AM
wanted to know if anyone has ever experienced this issue. recently configured a new Vsys "Vsys6" which was successfully added to the correct Template_stack and device groups. everything worked fine for 2-3 weeks, however last night after adding 2 Sec.policies to the new Vsys. the commit failed. FYI for security i've edited the zone names and policy name.
It goes on for a couple more rules where the zone or rule name will change.
I've noticed that on the PAN, the Vsys# does not match the name"description" from the Vsys# name"description" on the local boxes. for example on the PAN Vsys5 is named blue and Vsys6 is yellow, but on the local box Vsys5 is Yellow and Vsys6 is blue. I've tried pushing the stack to the boxes but that didnt work, tried reverting but that didn't work either.
01-25-2022 05:52 AM
Nikolay,
Everything was done correctly in regards to creating the new Vsys. as i stated the Vsys was created 2-3 weeks before the issue started. Anyway, I tried removing the new Vsys6 and the configs created with it on the PAN and tried to push it to the local FW box. the push still failed but only the device group portion. So we decided to un-pair the FW from PAN but instead of checking the import "device and network template" and the "policy and object" checkbox.we decided to only keep the local default settings "local admin" ,"management port" etc. after UN-pairing we didnt commit the change on the local box. instead we went straight to re-pairing the FW back to PAN, added it back to the device groups. did a "commit and push" and that was successful. when into the local FW and everything matches up now. PAN and local FW Vsys are all matched up.
01-24-2022 12:59 AM
Hello,
Have you followed the article below when adding the new vsys using panorama?
Also I found the the below info:
Device > Virtual Systems (paloaltonetworks.com)
If nothing works you may try to remove and add again the the firewall with its VSYS systems :
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cmd6CAC
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CmM0CAK
You may also check for bugs for your version, for example :
Known Issues (paloaltonetworks.com)
01-25-2022 05:52 AM
Nikolay,
Everything was done correctly in regards to creating the new Vsys. as i stated the Vsys was created 2-3 weeks before the issue started. Anyway, I tried removing the new Vsys6 and the configs created with it on the PAN and tried to push it to the local FW box. the push still failed but only the device group portion. So we decided to un-pair the FW from PAN but instead of checking the import "device and network template" and the "policy and object" checkbox.we decided to only keep the local default settings "local admin" ,"management port" etc. after UN-pairing we didnt commit the change on the local box. instead we went straight to re-pairing the FW back to PAN, added it back to the device groups. did a "commit and push" and that was successful. when into the local FW and everything matches up now. PAN and local FW Vsys are all matched up.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
