This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Impossible to commit: template values of parent template are present in template stack, but not pushed to the firewall

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Impossible to commit: template values of parent template are present in template stack, but not pushed to the firewall

SomeSuch
L1 Bithead

‎07-13-2023 02:45 AM - edited ‎07-13-2023 02:50 AM

Hello

 

my frustration level with panorama is reaching impossible levels so I really hope that someone can help me out.

Unfortunately I made the mistake of purchasing Pano with partner support and I can't open a case directly with PAN, and vendor support is horrible.

 

Long story short, Panorama is not pushing template values to newly added firewalls.

 

I have a "CommonTemplate" where I put template values that I want all firewalls to have.

This template is linked first.

 

SomeSuch_3-1689239936510.png

 

SomeSuch_2-1689239906497.png

 

 

SomeSuch_0-1689239823375.png

I can see the new firewall's template stack showing values from this parent template.

SomeSuch_1-1689239867546.png

 

But then the values are not pushed to the local machine.

SomeSuch_4-1689240139880.png

 

Both objects and template values from Pano are of course enabled.

SomeSuch_5-1689240516195.png

 

But when I export the config bundle, or when I push a commit with Force Template Values, those values are missing from the candidate config on the local firewall, and the commit fails. Template values in the firewall's specific template are not pushed either. load device-state was done from CLI, no values present.

 

Both Pano and the FW are on 10.2.4-h3.

 

Any help would be very much appreciated.

I have to say, combined with the 410's lack of logging over a spotty 3g connection, this has been one of the most infuriating experiences in my networking career. What a terrible device the 410 is and what an awful system Panorama templates are.

0 Likes Likes
2 REPLIES 2

PavelK
Cyber Elite
Cyber Elite

‎07-13-2023 02:44 PM

Hello @SomeSuch

 

would it be possible to share details of failure you got when pushing configuration to PA-410? If the error is not self explanatory, could you check logs from CLI:

 

Panorama: tail follow yes mp-log configd.log
FW: tail follow yes mp-log devsrv.log
 
These logs will usually give more information to troubleshoot the issue.
 
Kind Regards
Pavel
Help the community: Like helpful comments and mark solutions.
0 Likes Likes

ozheng
L4 Transporter

‎07-23-2023 04:22 AM

Hello @SomeSuch ,

 

You do the push from Panorama, you open the task manager on the PA-410 and you should see the commit job.
If the commit is failing, you should see the error.
If the commit is not failing, maybe you can do a "force template" (WARNING : that would override the local configuration with the config from Panorama).

PCSNE - CISSP

Best Effort contributor

Check out our PANCast Channel

Disclaimer : All messages are my personal ones and do not represent my company's view in any way.

0 Likes Likes
  • 1770 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks