Can't commit from Panorama

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Can't commit from Panorama

L0 Member

I have two Palo 3200 in HA mode and if I try to commit the configuration change I become following error:

  • Validation Error:
  • deviceconfig -> system -> panorama-server unexpected here
  • deviceconfig -> system is invalid
  • Commit failed

One of the both firewall is successful but the second one, don't take the configuration and stay Out of sync.

 

What can I do? Thanks for help

1 accepted solution

Accepted Solutions

Thanks for your reply Steve, I open a case with the support and we do the following operation, to copy the configuration of the first firewall on the second

 

1. From peer Firewall that it does not present the issue. SAVE a configuration snapshot under DEVICE > SETUP > OPERATIONS > SAVE > SAVE NAME CONFIGURATION SNAPSHOT

2. EXPORT configurations under DEVICE > SETUP > OPERATIONS > EXPORT > EXPORT NAME CONFIGURATION SNAPSHOT

3. From Firewall with commit error. Make sure document HOSTNAME, MANAGEMENT IP ADDRESS, AND HIGH AVAILABILITY CONFIGURATIONS, since you will be adding again later in this process

4. IMPORT configurations snapshot into Firewall with commit error under under DEVICE > SETUP > OPERATIONS > IMPORT > IMPORT NAME CONFIGURATION SNAPSHOT

5. LOAD configurations snapshot into Firewall with commit error under under DEVICE > SETUP > OPERATIONS > LOAD > LOAD NAME CONFIGURATION SNAPSHOT

6. CHANGE the correct hostname, MANAGEMENT IP ADDRESS , AND HIGH AVAILABILITY CONFIGURATIONS of the Firewall with commit error.

7. Commit

View solution in original post

2 REPLIES 2

Cyber Elite
Cyber Elite

Can you please ensure that there are no uncommitted local configurations on the secondary FW.   Also, can you confirm if you are only pushing out templates (and not device groups)? 

When in Panorama mode, the FWs should be getting their configs from the Panorama, so.. have you considered disabled the config sync under the HA portion of the configuration?

 

It just appears that the xml may be a little corrupted, but nothing too major. 

 

 

Help the community: Like helpful comments and mark solutions

Thanks for your reply Steve, I open a case with the support and we do the following operation, to copy the configuration of the first firewall on the second

 

1. From peer Firewall that it does not present the issue. SAVE a configuration snapshot under DEVICE > SETUP > OPERATIONS > SAVE > SAVE NAME CONFIGURATION SNAPSHOT

2. EXPORT configurations under DEVICE > SETUP > OPERATIONS > EXPORT > EXPORT NAME CONFIGURATION SNAPSHOT

3. From Firewall with commit error. Make sure document HOSTNAME, MANAGEMENT IP ADDRESS, AND HIGH AVAILABILITY CONFIGURATIONS, since you will be adding again later in this process

4. IMPORT configurations snapshot into Firewall with commit error under under DEVICE > SETUP > OPERATIONS > IMPORT > IMPORT NAME CONFIGURATION SNAPSHOT

5. LOAD configurations snapshot into Firewall with commit error under under DEVICE > SETUP > OPERATIONS > LOAD > LOAD NAME CONFIGURATION SNAPSHOT

6. CHANGE the correct hostname, MANAGEMENT IP ADDRESS , AND HIGH AVAILABILITY CONFIGURATIONS of the Firewall with commit error.

7. Commit

  • 1 accepted solution
  • 5260 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!