Panorama - Device TAGs stopped working after upgrade to PAN-OS 10.1.x

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Panorama - Device TAGs stopped working after upgrade to PAN-OS 10.1.x

L2 Linker

Hi, 

 

So after upgrading Panorama (and our firewalls) to PAN-OS 10.1.x, our security policies stopped working which had device tags attached to them. Turned out, the rules simply dissapeared from the firewalls.

 

On Panorama, Combined Rule Preview shows the actual (tagged) rules as normal, but after a successful push/commit there's no sign of the rules on the local firewall.

 

Anyone experienced this?

 

Cheers

1 ACCEPTED SOLUTION

Accepted Solutions

Cyber Elite
Cyber Elite

Have you checked for know bugs for your version or addressed bugs in other versions as in 10.1.4 h2 I see this solved bug

 

PAN-OS 10.1.4-h2 Addressed Issues (paloaltonetworks.com)

 


PAN-184445
Fixed an issue where, after upgrading Panorama and enabling 
Share Unused Address and Service Objects with Devices
, address objects using tags to dynamic address groups were removed after a full commit.

 

 

 

As this is community site where non palo alto TAC support people help each other  the other thing I could think of is as mentioned to remove the firewall from panorama and configure the tags and then add it again by making new templates, device groups.

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cmd6CAC

 

How to add a locally managed firewall to panorama management - Knowledge Base - Palo Alto Networks

 

 

Outside of that raise a TAC case if the latest version 10.1.4 h2 does not solve your issue.

 

 

Edit:

 

 

Also 10.1.x is still not so stable so if 10.1.4 h2 does not maybe try 10.x the latest version and hotfix.

View solution in original post

13 REPLIES 13

Cyber Elite
Cyber Elite

Review the known bugs related to tags for your version:

 

PAN-OS 10.1.0 Known Issues (paloaltonetworks.com)

 

 

In an active-passive HA configuration, tags for dynamic user groups are not persistent after rebooting the firewall because the active firewall does not sync the tags to the passive firewall during failover.

 

 

Changing the device group configured in a monitoring definition from a child DG to a parent DG, or vice versa, might cause firewalls configured in the child DG to lose IP tag mapping information received from the monitoring definition. Only firewalls assigned to the parent DG receive IP tag mapping updates.
Workaround
: Perform a manual config sync on the device group that lost the IP tag mapping information.
 
 
Dynamic tags from other sources are accessible using the CLI but do not display on the Panorama web interface.
 
 
 
Also you may check the CLI, or even re-add the firewall to panorama (remove and add it again):
 

Hi,

I recognized the same problem today in two locations with PA-220. The users cannot login to GlobalProtect anymore, because the NAT and security policies which are applied by tag are not visible on the local devices anymore.

First just one location. Users told me about connection problems with GlobalProtect. By a look on the firewall I saw that the policies are missing, in the Panorama they were visible. I saw that there was an outstanding push on the Panorama, the preview showed that the policies I was missing should be applied to the location where they were missing. Very strange, because we just wanted to commit and push some shared objects to all locations. I pushed it and hoped it solves the problem.
After the successful commit the policies still were not visible on the local device, just on the Panorama.

I tried a reboot of the Panorama and a reboot of the local firewall device without any improvement.
Both locations with same configuration were running one month without any problems after the firmware upgrade to 10.1.3, since today.
For testing I tried to trigger a new push of polices by applying a new security policy (also by tag) to the device-group-level where the two locations get the other policies (applied by tag) from.
After the commit and push the second location, which was running fine up to this moment, got the same problems as the other one, the policies (the old ones) were not visible on the local device anymore. The new one for testing neither.

Panorama firmware version: 10.1.3-h1


My workaround: I cloned the polices (security and NAT) to each local device-group-level and deleted the device tag. Not nice, but working.

The answer from the Nikolay_Dimitrov does NOT point to the problem we described.


Best regards

Cyber Elite
Cyber Elite

Have you checked for know bugs for your version or addressed bugs in other versions as in 10.1.4 h2 I see this solved bug

 

PAN-OS 10.1.4-h2 Addressed Issues (paloaltonetworks.com)

 


PAN-184445
Fixed an issue where, after upgrading Panorama and enabling 
Share Unused Address and Service Objects with Devices
, address objects using tags to dynamic address groups were removed after a full commit.

 

 

 

As this is community site where non palo alto TAC support people help each other  the other thing I could think of is as mentioned to remove the firewall from panorama and configure the tags and then add it again by making new templates, device groups.

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cmd6CAC

 

How to add a locally managed firewall to panorama management - Knowledge Base - Palo Alto Networks

 

 

Outside of that raise a TAC case if the latest version 10.1.4 h2 does not solve your issue.

 

 

Edit:

 

 

Also 10.1.x is still not so stable so if 10.1.4 h2 does not maybe try 10.x the latest version and hotfix.

Hey, thank you very much for your fast reply! I installed the update the night before and just wanted to report that it works with 10.1.4, when I saw your reply.

In addition: The panorama and also the local firewall needed the 10.1.4, afterwards I removed the tag from the device in panorama and committed and pushed it. After readding the tag and committing and pushing the changes, the rules appeared again.

 

Best regards

 

Short update: In my case it was enough to trigger a manual push of the device-group settings to the upgraded firewall, also if there are no pending changes. Just select the device-group and push it. Afterwards the rules handled by tag are appearing again.

 

Best regards

Thank you for your answer, I already tried 10.4.1-h2 and it did not solve the issue (all firewalls are on 10.1.4 also). It solved my other problem  with dynamic device groups tough.. 🙂

 

Generating config on the bottom level device group then push & commit makes the said rule appear again.

 

The problem is when I modify something in the parent device group or in Shared policy then push & commit (thus generating and pushing config to all child device groups) the policies dissapear again.

 

I tried to remove the tag from device, push/commit then re-add it again as @PhillipSchuermann suggested, but it didn't help.

 

It could be a workaround to push&commit for each child device group, but I have 60+ device groups under my parent DG, where I store most of my policies, so it's not for me. And again, modifing Shared policies will also trigger the problem.

 

I had a remote session with a TAC engineer, and he confirmed the problem, it's still under investigation.

 

Best regards

L2 Linker

Hey PozsonyiAttila

 

I am facing the same issue as you do. Panorama with 10.1.4h2 and firewalls running 10.1.4 (before when the issue started we had 10.1.3 running).
This only happens to the firewalls running 10.1.3/4, all firewalls currently running 10.0.x do not face this issue.

 

what worries me the most, is that one does not see the rules being deleted when doing a push preview before deploying.

We have a TAC open and it is also under investigation.

This all started with 10.1.3 (which we upgraded because of new PA400 firewalls and log4j fix.
We upgraded to 10.1.4h2 by TAC recommendation, which actually made us face the issue with dynamic object groups, which had to be fixed with a creating and deleting a dummy object that uses a tag.

 

Let's hope they soon find the issue for it and provide a fix.

Regards

Alex

There's no home like 127.0.0.1

Hey Guys!

 

Just wanted to let you know, TAC informed us that they escalated the issue to engineering. Let's hope the guys come up with a solution fast.

 

Regards

 

Attila

L2 Linker

Update.

 

TAC informed me, they could reproduce the issue in their lab. It's not much, but it's another step towards the solution.

 

Regards

L2 Linker

Great to hear,

 

In the meantime we have been told that in our case it will be fixed with 10.1.5 which should come out early march.

We've been told to deploy/push 1 Device-Group a time for devices running 10.1.x 

 

Regards

Alex

There's no home like 127.0.0.1
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!