06-22-2023 08:34 AM
Hello,
We are running 10.1.9-h1 Panorama server that manages multiple PA firewalls.
We have imported a new HA pair of PA-450s and a new HA pair of PA-3220 firewalls
The PA-3220 firewalls are in a template and device group configuration and when committing to the firewalls from Panorama to the PA-3220s for the first time, the template pushes fine but the device group commit fails.
. Validation Error:
. rulebase -> security -> rules -> <<omitted ref>>inbound blocks -> source 'DN' is not an allowed keyword
. rulebase -> security -> rules -> <<omitted ref>>inbound blocks -> source DN is an invalid ipv4/v6 address
. rulebase -> security -> rules -> <<omitted ref>>inbound blocks -> source DN range separator('-') not found
. rulebase -> security -> rules -> <<omitted ref>>inbound blocks -> source 'DN' is not a valid reference
. rulebase -> security -> rules -> <<omitted ref>>inbound blocks -> source 'LN' is not an allowed keyword
. rulebase -> security -> rules -> <<omitted ref>>inbound blocks -> source LN is an invalid ipv4/v6 address
. rulebase -> security -> rules -> <<omitted ref>>inbound blocks -> source LN range separator('-') not found
. rulebase -> security -> rules -> <<omitted ref>>inbound blocks -> source 'LN' is not a valid reference
. rulebase -> security -> rules -> <<omitted ref>>inbound blocks -> source is invalid
. rulebase -> security -> rules -> <<omitted ref>>outbound blocks-1 -> destination 'DN' is not an allowed keyword
. rulebase -> security -> rules -> <<omitted ref>>outbound blocks-1 -> destination DN is an invalid ipv4/v6 address
. rulebase -> security -> rules -> <<omitted ref>>outbound blocks-1 -> destination DN range separator('-') not found
. rulebase -> security -> rules -> <<omitted ref>>outbound blocks-1 -> destination 'DN' is not a valid reference
. rulebase -> security -> rules -> <<omitted ref>>outbound blocks-1 -> destination 'LN' is not an allowed keyword
. rulebase -> security -> rules -> <<omitted ref>>outbound blocks-1 -> destination LN is an invalid ipv4/v6 address
. rulebase -> security -> rules -> <<omitted ref>>outbound blocks-1 -> destination LN range separator('-') not found
. rulebase -> security -> rules -> <<omitted ref>>outbound blocks-1 -> destination 'LN' is not a valid reference
. rulebase -> security -> rules -> <<omitted ref>>outbound blocks-1 -> destination is invalid
. rulebase -> security -> rules is invalid
. rulebase -> security is invalid
. rulebase is invalid
. vsys is invalid
. devices is invalid
. vsys1
. Error: Failed to find address 'DN'
. Error: Unknown address 'DN'
. Error: Failed to parse security policy
. (Module: device)
. client device phase 1 failure
. Configuration is invalid
The PA-450s were imported the same way but have not suffered this fate.
Any assistance as to why and how to fix this is appreciated.
06-25-2023 01:00 AM
Hi @GrantCampbell4 ,
As mentioned at the bottom of this link DN and LN regions were added recently - https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFFCA0
So it looks like your PA-3220 firewall does not use the latest dynamic package updates compared to the Panorama and PA-450.
First step would be to "check now" and install the latest dynamic content packages on the firewalls and try again to push config from Panorama.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
