Service object injected from Panorama, local view on firewall says destination port [ object Object ].

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Service object injected from Panorama, local view on firewall says destination port [ object Object ].

L4 Transporter

Service object injected from Panorama, local view on firewall says destination port [ object Object ].

 

Thank you very much as always.

 

Can you support and help me by confirming if this is completely normal behavior.

 

I have a Panorama and I am injecting a new service to two firewalls in HA that share the same Template/Template Stack.

 

Well my doubt is because if I enter the firewall where it was already correctly injected/push the config the object is like:

 

Test Object:

 

Test, it appears in yellow marking that it has been injected from Panorama and but in the column, to see the destination port does not appear the tcp port, which was set from Panorama Device-Group, it only says [ object Object Object ]. If I go, for example, to look at the security policy used by this service and query for the value of the service, I get Name: test Protocol: TCP port: 8888.

 

In the local firewall Web-Gui:

Local-FW-Gui-gui-Destination-portLocal-FW-Gui-gui-Destination-port

 
In the local firewall Web-Gui / Security policy Value Test Service:

 

View-Check Value From Local-web gui Security Policy Setion, and check Value of Test Service, and show the tcp/port 8888View-Check Value From Local-web gui Security Policy Setion, and check Value of Test Service, and show the tcp/port 8888

 

From PANORAMA WEB-GUI View:

From Panorama WEB-GUIFrom Panorama WEB-GUI

 

 

Please can you tell me if this is a totally expected behavior, that when checking directly and locally the object, in yellow, as it comes from Panorama, it only says [ object Object Object ] in the destination port section, but if I check it in the policy when querying for the value if it appears.

 

Thank you very much, I remain attentive, best regards.

High Sticker
1 accepted solution

Accepted Solutions

Cyber Elite
Cyber Elite

Thank you for update @Metgatz

 

you were hitting this bug: PAN-141515 that was fixed in 9.1.4.

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-release-notes/pan-os-9-1-addressed-issues/pan-os...

 

PavelK_0-1657517819284.png

Kind Regards

Pavel

 

 

 

Help the community: Like helpful comments and mark solutions.

View solution in original post

4 REPLIES 4

Cyber Elite
Cyber Elite

Thank you for the post @Metgatz

 

no, this is not expected. The destination port should show up the same way as configured in Panorama.

 

It looks like you are running on Panorama 9.1.X. Personally, I have been running all versions in 9.1 up to the latest and never hit this kind of issue. Could you please confirm what version you are using on Panorama and Firewall side? Are you able to reproduce this issue or was this just one time thing?

 

Kind Regards

Pavel

Help the community: Like helpful comments and mark solutions.

@PavelK 

Hello, thank you very much for your reply.
 
The Virtual environment of the LAB Vmware is:
 
-PANORAMA VM PAN-OS 9.1.4
-Two VM-100 Firewall HA ( Active/Pasive ) PAN-OS:9.1.3
 
Simply creating an object from Panorama device-group and commit and push from Panorama runs correctly with no errors on the firewalls.
 
Thank you, I remain attentive
High Sticker

@PavelK 

 

Hello, thank you very much for your reply.

 

I generated a new service and the same thing keeps happening, in the view directly from the firewall, the destination port is not displayed.

 

Therefore what I chose was to upgrade the firewalls from 9.1.3 to 9.1.4. Although the strange thing is that if Panorama is in version 9.1.4 and the firewalls in 9.1.3, this at the level of logic and according to the documentation of Palo Alto Networks should work and not have any compatibility problems, however there was that display problem, so do the Upgrade to version 9. 1.4 of the Firewalls, and after that, the service is displayed correctly, showing its tcp destination port, the new one and the one created before, in the web-gui of the firewall directly.

 

Thank you, best regards

High Sticker

Cyber Elite
Cyber Elite

Thank you for update @Metgatz

 

you were hitting this bug: PAN-141515 that was fixed in 9.1.4.

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-release-notes/pan-os-9-1-addressed-issues/pan-os...

 

PavelK_0-1657517819284.png

Kind Regards

Pavel

 

 

 

Help the community: Like helpful comments and mark solutions.
  • 1 accepted solution
  • 2727 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!