We're using Panorama for the first time and I have a config that I want to push to a PA440. The device state is connected in Panorama and device certificate is valid.
In "Shared Policy Commit State" I have a "commit failed" saying:
. Validation Error:
. rulebase -> pbf -> rules -> default-via-tunnel -> from -> zone 'trust-l3' is not a valid reference
. rulebase -> pbf -> rules -> default-via-tunnel -> from -> zone is invalid
. Error: Rulebase 'pbf'
. 'trust-l3' zone is invalid from rule 'default-via-tunnel'
. Error: Failed to parse pbf policy
. (Module: device)
. client device phase 1 failure
. Commit failed
I copied that zone and rule from the PA220 that this PA440 is supposed to replace in a branch office and I don't see anything wrong with it.
"Template Last Commit State" says the commit is reverted:
I 've found several workarounds, also in this community, and I've tried them all. Only nothing seems to work.
What else can I do ? Does this look familiar to you ?
Thank you very much,
thanks for posting.
If you are migrating from Panorama managed PA-220 to PA-440, you typically do not need to copy any configuration. You should add PA-440 to the same Device Group and Template Stack, then push the configuration. If configuration was working for PA-220, it should work for PA-440 as well. Could you please share what configuration you copied?
By looking into the error you are getting. The PBF is not referencing zone. The PBF is configured in Device Group while zone is configured in Template. Make sure to push Template Stack to PA-440 first, then push the Device Group configuration. If that does not resolve the problem, try to delete the PBF from Device Group and configure it from scratch after you push zone from Template Stack.
The last error message in your post is related to feature added in PAN-OS 9.1 Doc to automatically rollback configuration if Panorama's configuration breaks connection. It looks like that something in the Template Stack is breaking connectivity. Unless you resolve this one, you will likely not be able to resolve the first issue with Device Group configuration. Unfortunately, there is not enough information to suggest what the issue might be. I would recommend to review your setting in Template. Are you making changes to management interface or IP address?
Thank you very much for your input. The PA220's (5 of them need to be replaced in branch offices with PA440's) were not deployed by Panorama in the past. I simply took one of the PA440's, did a basic config on it, added it in Panorama using the "Add" button under "Managed Devices - Summary" using an Auth Key and serial number.
I can see here the PA440 is connected and that the license is valid.
There was not much of config to take over from the PA220. So I made a template and DG for the PA440 and litterally typed over the config that I could see in the PA220 (policies, mgmt ip, DHCP, gateway,...) using variables in Panorama for the IP's that will be different on every PA440.
I pushed the DG without the PBF, this worked, only I don't see any of the configured settings from this DG in the PA440... Pushing the template stack isn't successfull yet, TBC... 🙂
Thank you for reply @Jeroen_Proost
For Device Group configuration, I am not aware of any scenario that Device Group configuration is pushed and configuration is not in Panorama managed Firewall. The only scenario I can think of is ether a tag limiting target where policies are being pushed (Sample reference below) or error preventing successful push.
If you did not encounter either of these issues and PA-440 Firewall is in the right Device Group, then this will have to be investigated in depth.
Regarding Template configuration, you mentioned that you added management interface into Template. I would recommend to remove it from Template and keep management interface configuration managed locally. If you still encounter an error, you can check more details from CLI logs. SSH to Panorama and Firewall and issue below commands and search for the error:
Hello @PavelK ,
I wasn't able to remove the management interface from the template. I wanted to update the PAN OS version on the FW but during the update we faced a network outage and since than, I can't connect to the FW anymore. Next week I'm not able to look into this, but if I'm still not able to push the config after I've solved this the week after that, I'm going to contact PA support.
tail follow yes mp-log configd.log gave me the same error message as in the gui, the command on the FW didn't work (maybe I did something wrong).
I thank you for your time and guidance, I learned some new things now 🙂
thank you for reply.
Could you please share the error or describe the issue preventing you to remove management interface from Template?
Regarding the Firewall's PAN-OS upgrade, after the image is downloaded to the Firewall, the upgrade is running locally, so network outage should not play any role. When you say, you can't connect to Firewall, is Firewall completely offline? Do you have access to console port?
To troubleshoot the Template configuration push issues, you should run below command in Panorama:
Sorry for the late reply, but I'm just back to continue on this issue. I don't get to see an error when I want to remove the management interface, I just can't do it because I don't see the possibility to do it (button,...).
Concerning the commands, on the FW:
admin@PA-440> tail follow yes mp-log devsrvr.log
/usr/bin/tail: cannot open '/var/log/pan/devsrvr.log' for reading: No such file or directory
On the Panorama CLI: I don't see anything about the PA-440 anymore... I don't get it...
I do notice in the GUI from Panorama that the Device State is saying "disconnected" (but he's not) and software version is 10.2, which is the version I installed through CLI this morning (!). I have to say, I re-installed that version because I was installing that version last time I could connect to the PA-440's GUI when that network outage took place and wasn't sure it was completed.
thank you for reply.
By default a Template includes Management interface with blank configuration. If you have done any changes to the management interface in Template you can set it back to default by setting everything to "none", however you will not find a button to completely remove the interface from Template. Below are screens and KB reference:
Regarding Firewall being disconnected from Panorama, could you please check this KB.
Regarding the error you posted, I am sorry, I made a typo. The correct command is:
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!