Unable to perform initial export and push due to shared objects

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Unable to perform initial export and push due to shared objects

L1 Bithead

Hello

 

I am encountering a particularly frustrating problem.

After importing a device's configuration into Panorama, the commit fails because the initial export and push includes shared objects, but not shared items in the templates.

 

So if I, for example, have email log forwarding in my shared objects, commit on the device fails because the emails are not present in the template.

 

The emails are present in the template stack, but not in the single template, and panorama is not pushing what is in the template stack.

 

Share Unused Address and Service Objects with Devices is unticked.

 

Any suggestions?

3 REPLIES 3

Hi @SomeSuch 

I am not sure if I understanding your problem correctly, but the proper process of onboarding firewall to panorama that already have some configuration should be:

- Panorama -> Setup -> Operations -> Import Device configuration to Panorama -> Select the firewall. This will create new device-group, template and template stack and assign the firewall to them.

- Make any modification you like to the device-group, template or template stack. For example add template to the template stack that contain shared settings, or rename stack, template or group.

- Commit to Panorama only - don't push any configuration to firewall yet.

- Panorama -> Setup -> Operations -> Expor or push device config bundle -> Select the firewall -> Push & Commit. This will replace the existing local configuration on the firewall with the configuration defined in the template stack and device-group.

I would suggest you to perform the above step during maintenance window just in case, although it shouldn't affect forwarded traffic.

- At this point FW will probably still show as out of sync in panorama, but it will have its local config converted to panorama managed. So you can push config from Panorama to FW and you should see the green "in sync"

The issue here is that from device groups, there are top-level shared objects which reference objects in a template that is not applied to the device yet. 

Log forwarding profiles are objects defined in device groups and can be shared, however they reference server profiles defined in templates which would not be applied to a device during initial onboarding, so the initial “push device config bundle” will error out on commit and leave the firewall in limbo.

 


I believe the only solution for this is to manually resolve the dependency on the new device template or add the missing template with reference configuration to the stack. I am guessing at this point you would push another config bundle to the firewall to resolve dependency, since the first push failed. 

This seems like a failure in the configuration model of the firewall, the same reason we have reference templates for device groups is to resolve issues where an object depends on a template setting rather than the usual case of template settings depending on objects. 

If these is a best practice or better solution for this please share it as I am running into the same issue.  

Cyber Elite
Cyber Elite

After you have imported firewall config into Panorama, placed it into correct device groups and attached needed templates you need to:

 

Panorama

Commit to Panorama

Panorama > Setup > Operations > Export or push device config bundle
Choose firewall

OK > Export (this will not try to commit config in the firewall)

 

Firewall cli
> configure
# load device-state (to load new config into candidate config)

 

Panorama
Commit to firewall
It might be needed to choose "Force Template Values" but use this option with caution (do not accidentally push into production firewalls as it will overwrite any overrides in local firewall).

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011
  • 2507 Views
  • 3 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!