Palo Alto Template Revert error

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Palo Alto Template Revert error

L1 Bithead

Hi everyone,

 

I am a network engineer and we have recently swapped out some Palo Alto firewalls for newer models. The old firewalls were managed in Panorama and I recently tried to integrate these new firewalls to Panorama. I want both the Device Groups (Policies and Objects tabs) and Templates (Network and Device tabs) to be managed by Panorama apart from the Device > High Availability and Setup sections which I want managed locally.

It went smoothly until I reached step 8 in the below Palo Alto document.

https://docs.paloaltonetworks.com/panorama/9-0/panorama-admin/manage-firewalls/transition-a-firewall...

I decided against selecting 'Force Template Values' when I pushed the config to the firewalls because Device > High Availability and Setup should be managed locally, not by Panorama. I was hoping that if I skip selecting 'Force Template Values' I can simply click on everything apart from High Availability and Setup and click Revert locally on the firewall to have this managed in Panorama. When I started doing this however on the Interfaces I got the below error:

 

Error deleting Ethernet Interface

member cannot be deleted because of references from:

network -> virtual-router -> VR-1 -> routing-table -> ip -> statis-route -> SER_GW -> interface

network -> virtual-router -> VR-1 -> routing-table -> ip -> statis-route -> CanyonRanch -> interface

network -> virtual-router -> VR-1 -> routing-table -> ip -> statis-route -> test -> interface

 

I have tried to revert VR-1 then do a commit then revert the interfaces but I am still getting the same error above. I don't want to 'Force Template Values' on Panorama as the High Availability and Setup on the local firewalls will be deleted. Any idea how I can add the Template (Network and Device tabs) to be managed by Panorama without adding High Availability and Setup too?

 

Panorama is version 9.1.8 and model M-100

Firewalls are version 9.1.8 and model PA-5250 in Active Passive setup.

 

Many thanks in advance!

3 REPLIES 3

L2 Linker

Any luck on this? I am getting a similar error. In my case, it says it needs to delete them even though interfaces exist in the template. My templates and local config match exactly on the network portions so not sure why I am getting this error. I don't want to use Force template values either for reasons you mentioned.

L1 Bithead

Is your Virtual Router defined in your template in the same location as the interfaces?  I'm running into the same issue, when I look at the templates, I do see something odd where the Virtual Router that is erroring out has a location of NONE in the template but the interfaces are all defined as VSYS1.  Was curious if this was the issue.

It seems that the issue is when you do a "revert", behind the scenes the firewall is actually deleting the interfaces from where they are and re-creating everything. It can't do delete because there are static routes tied to the interface. You can see this behavior in the config log.

  • 3951 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!