Panorama unable to push configuration to the firewalls, "OOXML is not a valid reference" displayed

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Panorama unable to push configuration to the firewalls, "OOXML is not a valid reference" displayed

L1 Bithead

Recently we upgrade the panorama to 11-1-2-h3, and found those firewall which under panos version 11.1.2-h3 would occur validation error"OOXML is not a valid reference", we have confirmed the content version and antivirus version of the panorama and the firewall had upgraded to the latest version , it seems that there is a new model called "OOXML" is in the Wildfire Inline ML which in the antivirus profile, we tried to disable it and pushes again, but still didn't work.

 

Does anybody faced this kind of problem before?

2 accepted solutions

Accepted Solutions

L1 Bithead

What worked for us was to delete the line in the CLI referencing the OOXML files. Then the pushes to other, older versions of PanOS work. The OOXML issue only appears if you try to edit the security profile and then make a push

View solution in original post

Logged in to say thank you for this. 

It took me a minute to decipher this, if anyone else needs it spelled out even more.

I made an AV in a device group for a specific firewall. 

delete device-group Example-Group profiles virus Example-AV mlav-engine-filebased-enabled OOXML

I then I made an altered clone, saw it was going to need to hit multiple FWs, so I moved it up the stack and then got the error on a lot more FWs.

delete shared profiles virus Example-AV mlav-engine-filebased-enabled OOXML

It had also been a few hours since I read the above post and forgot the caveats the user put in the same line.  I was getting concerned that this list was empty. 

delete device-group Higher -In-The-Device-Group-Example-Group profiles virus Example-AV mlav-engine-filebased-enabled OOXML

 I eventually realized my mistake though and found them in shared.

 

View solution in original post

12 REPLIES 12

L0 Member

Hi,

 

I randomly read posts on this site and I clicked on your post. It appears that you’re encountering a validation error related to the “OOXML” model when pushing configuration from Panorama to firewalls. Here are some steps to consider that you can follow:

  1. Ensure that the content versions on both Panorama and the firewalls match.
  2. Make sure the firewall’s Application & Threats database matches the version on Panorama.
  3. Check for any known issues related to this error.

If the problem persists, you can consider reaching out to support for further assistance. I hope my suggestion will be helpful for you to solve this issue. If you have any questions related to this then you can ask me. I will be glad to help you!

Best regard,
AarpMembership

Hi,

 

Thanks,I've checked the Application&threat version on both of them, so think I'll open a ticket for this.

L0 Member

Hi
we have the same issue.

 

Our ASC told us the following:

In version 11.1.3 OOXML support for WIldFire Inline ML was added (the docs say 11.1.3, but I could also find it in other 11.1.x versions, so I suspect a typo on Palo's part. https://docs.paloaltonetworks.com/wildfire/u-v/wildfire-whats-new/wildfire-features-in-panos-1113/oo... [docs.paloaltonetworks.com


Since the Panorama cannot push a feature to the firewalls that is not yet available there, you would either have to upgrade the firewalls once and adapt them to the Panorama or downgrade the Panorama, whichever suits you better.
You should then be able to commit/push again.

 

But upgrade or downgrade is not an option at this moment. So ticket is opened at PAN Support now.

L1 Bithead

What worked for us was to delete the line in the CLI referencing the OOXML files. Then the pushes to other, older versions of PanOS work. The OOXML issue only appears if you try to edit the security profile and then make a push

yes, confirmed, you can use command

delete shared /or DG name/ profiles virus <name Antivirus profile > mlav-engine-filebased-enabled OOXML

 

Logged in to say thank you for this. 

It took me a minute to decipher this, if anyone else needs it spelled out even more.

I made an AV in a device group for a specific firewall. 

delete device-group Example-Group profiles virus Example-AV mlav-engine-filebased-enabled OOXML

I then I made an altered clone, saw it was going to need to hit multiple FWs, so I moved it up the stack and then got the error on a lot more FWs.

delete shared profiles virus Example-AV mlav-engine-filebased-enabled OOXML

It had also been a few hours since I read the above post and forgot the caveats the user put in the same line.  I was getting concerned that this list was empty. 

delete device-group Higher -In-The-Device-Group-Example-Group profiles virus Example-AV mlav-engine-filebased-enabled OOXML

 I eventually realized my mistake though and found them in shared.

 

Boy I sure appreciate this level of detail.  Thanks for posting this up.  I was wondering how I was going to unf*ck this.  Cheers.

L1 Bithead

Anyone got resolution from palo alto TAC or removing antivirus profile is only option provided by palo alto ??? 

Thanks and regards
Sanha

This solution is not from Palo, this is a good workaround. The official solution from Palo is to upgrade all firewalls.

It was caused by PAN-249931 and was fixed in PAN-OS 11.1.2-H4. We upgraded to this version and resolved the issue.

We upgraded from 11.1.4-h1  to 11.1.5-h1 we encounter this issue .Ok i am not sure you aware about vulnerability but its not fixing under but 11.1.2-H4 so you have to upgrade PANOS

 CVE-2024-9474 PAN-OS: Privilege Escalation (PE) Vulnerability in the Web Management Interface

Thanks and regards
Sanha

I havent understand . Are you able to delete mlav-engine-filebased-enabled OOXML from your antivirus profiles ???? After deleting it , issue was solved for you ?

Thanks and regards
Sanha
  • 2 accepted solutions
  • 5254 Views
  • 12 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!