- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
01-05-2022 05:10 AM
Hi,
So after upgrading Panorama (and our firewalls) to PAN-OS 10.1.x, our security policies stopped working which had device tags attached to them. Turned out, the rules simply dissapeared from the firewalls.
On Panorama, Combined Rule Preview shows the actual (tagged) rules as normal, but after a successful push/commit there's no sign of the rules on the local firewall.
Anyone experienced this?
Cheers
01-25-2022 03:27 AM - edited 01-25-2022 06:09 AM
Have you checked for know bugs for your version or addressed bugs in other versions as in 10.1.4 h2 I see this solved bug
PAN-OS 10.1.4-h2 Addressed Issues (paloaltonetworks.com)
PAN-184445
Fixed an issue where, after upgrading Panorama and enabling
Share Unused Address and Service Objects with Devices
, address objects using tags to dynamic address groups were removed after a full commit.
As this is community site where non palo alto TAC support people help each other the other thing I could think of is as mentioned to remove the firewall from panorama and configure the tags and then add it again by making new templates, device groups.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cmd6CAC
How to add a locally managed firewall to panorama management - Knowledge Base - Palo Alto Networks
Outside of that raise a TAC case if the latest version 10.1.4 h2 does not solve your issue.
Edit:
Also 10.1.x is still not so stable so if 10.1.4 h2 does not maybe try 10.x the latest version and hotfix.
01-12-2022 04:14 AM
Review the known bugs related to tags for your version:
PAN-OS 10.1.0 Known Issues (paloaltonetworks.com)
In an active-passive HA configuration, tags for dynamic user groups are not persistent after rebooting the firewall because the active firewall does not sync the tags to the passive firewall during failover.
01-24-2022 03:24 AM
Hi,
I recognized the same problem today in two locations with PA-220. The users cannot login to GlobalProtect anymore, because the NAT and security policies which are applied by tag are not visible on the local devices anymore.
First just one location. Users told me about connection problems with GlobalProtect. By a look on the firewall I saw that the policies are missing, in the Panorama they were visible. I saw that there was an outstanding push on the Panorama, the preview showed that the policies I was missing should be applied to the location where they were missing. Very strange, because we just wanted to commit and push some shared objects to all locations. I pushed it and hoped it solves the problem.
After the successful commit the policies still were not visible on the local device, just on the Panorama.
I tried a reboot of the Panorama and a reboot of the local firewall device without any improvement.
Both locations with same configuration were running one month without any problems after the firmware upgrade to 10.1.3, since today.
For testing I tried to trigger a new push of polices by applying a new security policy (also by tag) to the device-group-level where the two locations get the other policies (applied by tag) from.
After the commit and push the second location, which was running fine up to this moment, got the same problems as the other one, the policies (the old ones) were not visible on the local device anymore. The new one for testing neither.
Panorama firmware version: 10.1.3-h1
My workaround: I cloned the polices (security and NAT) to each local device-group-level and deleted the device tag. Not nice, but working.
The answer from the Nikolay_Dimitrov does NOT point to the problem we described.
Best regards
01-25-2022 03:27 AM - edited 01-25-2022 06:09 AM
Have you checked for know bugs for your version or addressed bugs in other versions as in 10.1.4 h2 I see this solved bug
PAN-OS 10.1.4-h2 Addressed Issues (paloaltonetworks.com)
PAN-184445
Fixed an issue where, after upgrading Panorama and enabling
Share Unused Address and Service Objects with Devices
, address objects using tags to dynamic address groups were removed after a full commit.
As this is community site where non palo alto TAC support people help each other the other thing I could think of is as mentioned to remove the firewall from panorama and configure the tags and then add it again by making new templates, device groups.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cmd6CAC
How to add a locally managed firewall to panorama management - Knowledge Base - Palo Alto Networks
Outside of that raise a TAC case if the latest version 10.1.4 h2 does not solve your issue.
Edit:
Also 10.1.x is still not so stable so if 10.1.4 h2 does not maybe try 10.x the latest version and hotfix.
01-25-2022 11:43 AM - edited 01-26-2022 01:51 AM
Hey, thank you very much for your fast reply! I installed the update the night before and just wanted to report that it works with 10.1.4, when I saw your reply.
In addition: The panorama and also the local firewall needed the 10.1.4, afterwards I removed the tag from the device in panorama and committed and pushed it. After readding the tag and committing and pushing the changes, the rules appeared again.
Best regards
Short update: In my case it was enough to trigger a manual push of the device-group settings to the upgraded firewall, also if there are no pending changes. Just select the device-group and push it. Afterwards the rules handled by tag are appearing again.
Best regards
02-02-2022 06:28 AM
Thank you for your answer, I already tried 10.4.1-h2 and it did not solve the issue (all firewalls are on 10.1.4 also). It solved my other problem with dynamic device groups tough.. 🙂
Generating config on the bottom level device group then push & commit makes the said rule appear again.
The problem is when I modify something in the parent device group or in Shared policy then push & commit (thus generating and pushing config to all child device groups) the policies dissapear again.
I tried to remove the tag from device, push/commit then re-add it again as @PSCH suggested, but it didn't help.
It could be a workaround to push&commit for each child device group, but I have 60+ device groups under my parent DG, where I store most of my policies, so it's not for me. And again, modifing Shared policies will also trigger the problem.
I had a remote session with a TAC engineer, and he confirmed the problem, it's still under investigation.
Best regards
02-07-2022 11:49 AM
Hey PozsonyiAttila
I am facing the same issue as you do. Panorama with 10.1.4h2 and firewalls running 10.1.4 (before when the issue started we had 10.1.3 running).
This only happens to the firewalls running 10.1.3/4, all firewalls currently running 10.0.x do not face this issue.
what worries me the most, is that one does not see the rules being deleted when doing a push preview before deploying.
We have a TAC open and it is also under investigation.
This all started with 10.1.3 (which we upgraded because of new PA400 firewalls and log4j fix.
We upgraded to 10.1.4h2 by TAC recommendation, which actually made us face the issue with dynamic object groups, which had to be fixed with a creating and deleting a dummy object that uses a tag.
Let's hope they soon find the issue for it and provide a fix.
Regards
Alex
02-13-2022 11:21 AM
Hey Guys!
Just wanted to let you know, TAC informed us that they escalated the issue to engineering. Let's hope the guys come up with a solution fast.
Regards
Attila
02-18-2022 01:05 AM
Update.
TAC informed me, they could reproduce the issue in their lab. It's not much, but it's another step towards the solution.
Regards
03-02-2022 05:50 AM
Great to hear,
In the meantime we have been told that in our case it will be fixed with 10.1.5 which should come out early march.
We've been told to deploy/push 1 Device-Group a time for devices running 10.1.x
Regards
Alex
03-16-2022 03:19 AM
Hi Guys,
Same here, the bug is labeled PAN-184761 (I can't find it though). TAC said it we'll be addressed in 10.1.5, ETA March 24.
Regards
Attila
03-28-2022 07:41 AM
Hi Everyone,
PAN-OS 10.1.5 is out. I can confirm, that the isse is now resolved, device tags are working again as intented, no workaround necessary.
Regards
Attila
05-11-2022 02:54 PM
10.1.5-h1 -- still the same issue
08-18-2022 07:52 AM
Issue still exists in 10.1.6h3, at least for NAT rules...TAC is rather useless...
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!