11-19-2021 03:39 AM
Hi everyone,
I am a network engineer and we have recently swapped out some Palo Alto firewalls for newer models. The old firewalls were managed in Panorama and I recently tried to integrate these new firewalls to Panorama. I want both the Device Groups (Policies and Objects tabs) and Templates (Network and Device tabs) to be managed by Panorama apart from the Device > High Availability and Setup sections which I want managed locally.
It went smoothly until I reached step 8 in the below Palo Alto document.
I decided against selecting 'Force Template Values' when I pushed the config to the firewalls because Device > High Availability and Setup should be managed locally, not by Panorama. I was hoping that if I skip selecting 'Force Template Values' I can simply click on everything apart from High Availability and Setup and click Revert locally on the firewall to have this managed in Panorama. When I started doing this however on the Interfaces I got the below error:
Error deleting Ethernet Interface
member cannot be deleted because of references from:
network -> virtual-router -> VR-1 -> routing-table -> ip -> statis-route -> SER_GW -> interface
network -> virtual-router -> VR-1 -> routing-table -> ip -> statis-route -> CanyonRanch -> interface
network -> virtual-router -> VR-1 -> routing-table -> ip -> statis-route -> test -> interface
I have tried to revert VR-1 then do a commit then revert the interfaces but I am still getting the same error above. I don't want to 'Force Template Values' on Panorama as the High Availability and Setup on the local firewalls will be deleted. Any idea how I can add the Template (Network and Device tabs) to be managed by Panorama without adding High Availability and Setup too?
Panorama is version 9.1.8 and model M-100
Firewalls are version 9.1.8 and model PA-5250 in Active Passive setup.
Many thanks in advance!
02-21-2022 11:04 AM
Any luck on this? I am getting a similar error. In my case, it says it needs to delete them even though interfaces exist in the template. My templates and local config match exactly on the network portions so not sure why I am getting this error. I don't want to use Force template values either for reasons you mentioned.
09-19-2022 02:10 PM
Is your Virtual Router defined in your template in the same location as the interfaces? I'm running into the same issue, when I look at the templates, I do see something odd where the Virtual Router that is erroring out has a location of NONE in the template but the interfaces are all defined as VSYS1. Was curious if this was the issue.
09-20-2022 07:14 AM
It seems that the issue is when you do a "revert", behind the scenes the firewall is actually deleting the interfaces from where they are and re-creating everything. It can't do delete because there are static routes tied to the interface. You can see this behavior in the config log.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
