Panorama Device Specific Templates Network Settings

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Panorama Device Specific Templates Network Settings

L1 Bithead

In our Panorama exists a Standard Template.  In the standard template I define ethernet1/5 with several sub interfaces.  At one of our locations I need to add a sub interface for vlan 88.  To tackle this, I have a device specific template that is in the template stack for this location.  Within that device specific template, I added ethernet1/5.88 .  When I go to commit that template, Panorama gives me the below validation errors.  Due to this, I went a different route by using another ethernet interface ethernet1/6.88 .  That will commit to the firewall, THOUGH it is missing setting.  One of the setting that doesnt show is the virtualrouter4 assigned to ethernet1/6.88.   I am using in my standard template virtualrouter4 and created that same virtualrouter4 in my device specific template.  The virtualrouter4 works fine for committing to my IPSEC tunnels in the device specific template but will not get assigned to my ethernet1/6.88 interface.

 

There are two issues here and Im just looking for the correct way to accomplish what I need done.

 

 

Validation Error:
devices -> localhost.localdomain -> template-stack ->PA Stack -> config -> devices -> localhost.localdomain -> vsys -> vsys1 -> import -> network -> interface 'ethernet1/1.88' is not a valid reference
devices -> localhost.localdomain -> template-stack -> PA Stack -> config -> devices -> localhost.localdomain -> vsys -> vsys1 -> import -> network -> interface is invalid

4 REPLIES 4

Cyber Elite
Cyber Elite

Thank you for the post @AOneR

 

in the validation error you shared, the interface that is having an issue is "ethernet1/1.88" while in your post you mentioned you experienced a problem with the interfaces "ethernet1/5.88" and "ethernet1/6.88". Is the issue with "ethernet1/1.88" related to your post or different issue?

 

Regarding the first problem you reported with validation error, could you use one of the interface that is functional in your Template and use "Global Find" to see where it is all referenced in Template, then mimic the configuration for sub-interface ethernet1/5.88? Make sure that virtual router, virtual system, zone are assigned.

 

Regarding the second problem, the only time I have seen missing setting while pushing Template Stack to a Firewall is one of below scenarios:

- The configuration is pushed but not applied because it is overwritten by local configuration. You will recognize it by different symbol shape. Instead of green, it is green/orange symbol. Here is a reference: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PLIxCAO

- A Template is not part of correct Template Stack or Template is not a member of  any Template Stack.

- The Panorama configuration is committed successfully, but an error is returned while pushing the configuration to the managed Firewall.

 

If none of the above scenario is applied to you, then I would go through the Template configuration again and make sure that the interface "ethernet1/6.88" is configured correctly.

 

Kind Regards

Pavel

Help the community: Like helpful comments and mark solutions.

Thank you for responding to my inquiry.

 

Concerning the first problem, ignore 1/1 as that was another test, its 1/5 and the error is as posted.  I did a global find for interface 1/5 and created 1/5 and 1/5.27 the same, still getting the error.

 

Regarding the second issue I am getting a warning saying that interface vlan.88 has no virtual-router configured, when in fact it does.  The local configuration doesnt have any values for interfaces.  The template is assigned to the correct stack as the VPN settings are being applied.

Cyber Elite
Cyber Elite

I am sorry for late response @AOneR

 

For the first issue, could you please confirm that both options are enabled on Panorama when you are pushing the configuration: "Merge with Candidate Config" and "Include Device and Network Templates"?

 

For the second issue, after you get the validation error, could you check logs from CLI on both Panorama as well as managed Firewall whether it can give more details what the issue is: tail lines 500 mp-log configd.log.

 

Kind Regards

Pavel

Help the community: Like helpful comments and mark solutions.

Hi I am having the exact same issue. is there a work around for this? 

  • 6151 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!