I'm struggling with the integration of new devices, after many tries, I finally removed the new devices, but 2 of the other firewall can't commit anymore :
when I try to push to devices, I've got the following error "Failed to generate selective push configuration. Last in-sync configuration for the device is from a different version, selective push is not supported. Please try a full push."
What is a full push by the way?
In summary page the status is :
- both devices of the device group are connected
- shared policy is "out of sync Panorama pushed version :360"
- template is "out of sync Panorama pushed version :331"
I've tried from Setup> Operation, to "export or push device config bundle" on these specific devices using version 331".
the load is working fine, then I commit to Panorama, which is also fine.
But pushing to devices fails for template and device group.
What would be the next step to recover a valid configuration that won't disturb the service on the firewalls ?
this is a known problem and will be fixed in the upcoming version 10.2.4. Check this article for the workaround provided by palo:
What is a full push by the way?
When you commit and push the configuration there are 2 options as mention below.
Select the option 1 is full push
1. Commit And Push All Changes - If you select this is full push
2. Commit And Push Changes Made By: - If you select this is changes push by individual users.
A full push will send the existing configuration from the panorama to all firewalls without any changes.
If there is a Panorama OS Upgrade the full push will update the XML structure that is used in the new OS Version on the firewalls. The push still will not change anything related to the configuration.
Hi @Aimee_Piediscalzo ,
Make sure it's not a permission issue (your user can perform this action ?)
Check if Device State shows as connected under Panorama > Managed Devices > Summary section.
Seems obvious but make sure there's a Push Scope to push to... if there isn't then edit the selections and select the Device Group/Template to push to.
If all else fails, you can try restarting the mgmt server process.
Still no update from my Case or SAM team on this one. A full push should resolve the issues but only temporarily. For us right now we have to do a full push about every 3 or so commit/pushes. It sucks, I believe I see the issue and have relayed it to TAC. The safety feature of forcing a full push when something is over 100 revs off is taking into account items that are in a disconnected state. When I look at my required full push, everything that is labelled as out of sync and in need of a push are items that are either Disconnected or not fully managed by Panorama.
It should just be the version of Panorama and for me it seems to be with 10.2.4 code. Was on 10.2.3 no issues, moved to 10.2.4 issue started, was told by TAC the issue was resolved in 10.2.4-h3 they even have it posted as a resolved issue in the Release notes. Issue still persists. It seems like 10.2.4 should just be avoided if you are able to, especially if you have a large Palo footprint and a lot of people making changes in Panorama.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!