Panorama unable to push configuration to the firewalls, "OOXML is not a valid reference" displayed

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Panorama unable to push configuration to the firewalls, "OOXML is not a valid reference" displayed

L0 Member

Recently we upgrade the panorama to 11-1-2-h3, and found those firewall which under panos version 11.1.2-h3 would occur validation error"OOXML is not a valid reference", we have confirmed the content version and antivirus version of the panorama and the firewall had upgraded to the latest version , it seems that there is a new model called "OOXML" is in the Wildfire Inline ML which in the antivirus profile, we tried to disable it and pushes again, but still didn't work.

 

Does anybody faced this kind of problem before?

1 accepted solution

Accepted Solutions

L1 Bithead

What worked for us was to delete the line in the CLI referencing the OOXML files. Then the pushes to other, older versions of PanOS work. The OOXML issue only appears if you try to edit the security profile and then make a push

View solution in original post

5 REPLIES 5

L0 Member

Hi,

 

I randomly read posts on this site and I clicked on your post. It appears that you’re encountering a validation error related to the “OOXML” model when pushing configuration from Panorama to firewalls. Here are some steps to consider that you can follow:

  1. Ensure that the content versions on both Panorama and the firewalls match.
  2. Make sure the firewall’s Application & Threats database matches the version on Panorama.
  3. Check for any known issues related to this error.

If the problem persists, you can consider reaching out to support for further assistance. I hope my suggestion will be helpful for you to solve this issue. If you have any questions related to this then you can ask me. I will be glad to help you!

Best regard,
AarpMembership

Hi,

 

Thanks,I've checked the Application&threat version on both of them, so think I'll open a ticket for this.

L0 Member

Hi
we have the same issue.

 

Our ASC told us the following:

In version 11.1.3 OOXML support for WIldFire Inline ML was added (the docs say 11.1.3, but I could also find it in other 11.1.x versions, so I suspect a typo on Palo's part. https://docs.paloaltonetworks.com/wildfire/u-v/wildfire-whats-new/wildfire-features-in-panos-1113/oo... [docs.paloaltonetworks.com


Since the Panorama cannot push a feature to the firewalls that is not yet available there, you would either have to upgrade the firewalls once and adapt them to the Panorama or downgrade the Panorama, whichever suits you better.
You should then be able to commit/push again.

 

But upgrade or downgrade is not an option at this moment. So ticket is opened at PAN Support now.

L1 Bithead

What worked for us was to delete the line in the CLI referencing the OOXML files. Then the pushes to other, older versions of PanOS work. The OOXML issue only appears if you try to edit the security profile and then make a push

yes, confirmed, you can use command

delete shared /or DG name/ profiles virus <name Antivirus profile > mlav-engine-filebased-enabled OOXML

 

  • 1 accepted solution
  • 1906 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!