issues with app id updates resulting in commit failures due to exclude 'google-drive-web' is not a valid reference

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

issues with app id updates resulting in commit failures due to exclude 'google-drive-web' is not a valid reference

L1 Bithead

Hi Looks like the latest update breaks the application filter rule.  I had a look and it seem like the "google-drive-web' is a group and does not have an associated risk, 'google-drive-web-base' does have a risk 5 for it, I tried to create one called 'google-drive-web' but I unable to create one as the group is already named 'google-drive-web'

 

I have Raised a TAC case but any suggestions much appreciated.

 

Commit and Push
 
Completed
 
Failed
 
  • Validation Error:
  • shared -> application-filter -> Risk 5 -> exclude 'google-drive-web' is not a valid reference
  • shared -> application-filter -> Risk 5 -> exclude is invalid

 

 

 

1 accepted solution

Accepted Solutions

L0 Member

This can be fixed by creating a new Application filter with the same "excludes" as the filter/ filters that contain "google-drive-web". In the new filter you can exclude "Google-Drive-web-base". You then have to replace the filter all in the rules the original was located, once you have replaced them you then delete the errored filter. 

View solution in original post

11 REPLIES 11

L0 Member

Yes, i'm having the same issues too ( exact the same error). To commit, i first have to revert to the previous App-ID update. 

Thanks, I've got some issues. Reverting to the previous pack helped.

L0 Member

Having the same issue... Just started yesterday... I am kind of a newbe here... Do you mind saying how did you recert back to the previous pack?

Go to : Device \ Dynamic Updates -> Application and Threats ->Revert to 8851-8750.  But be aware this is only a temporary solution! Let's hope they release today or tomorrow a new App Policy.

Device --> Dynamic Updates --> Application and Threats, and press Revert on the  previous pack.I hope this helps you, as it helped me too

L1 Bithead

Thank you, its fixed our issue and really apprecate you taking the time to share.

L0 Member

Thank you.  Same issue here.  Hopefully they will get it straightened out.

L0 Member

This can be fixed by creating a new Application filter with the same "excludes" as the filter/ filters that contain "google-drive-web". In the new filter you can exclude "Google-Drive-web-base". You then have to replace the filter all in the rules the original was located, once you have replaced them you then delete the errored filter. 

L2 Linker

For those of you who don't want to wait for a more permanent fix, this worked for me as a quick way to get rid of the "bad" app-id from the app filters.  After doing the steps below, you'll need to exclude the new app-ids in your app filters.  Thanks to @eric.pedersen for the tip.  Palo Alto posted an advisory notice on this issue too.

 

This application filter is easily fixed on the CLI and doesn't have to be recreated. 

 

For example:

delete application-filter <name> exclude google-chat

 

or on Panorama:

delete shared application-filter <name> exclude google-chat

or, whatever scope other than shared that your application filter is in.

Thanks Pzungia,

 

This is the way forward there is a post with further detail.

 

https://live.paloaltonetworks.com/t5/customer-resources/customer-issue-impacting-applications-and-th...

The link tells me I do not have sufficient access...

  • 1 accepted solution
  • 8423 Views
  • 11 replies
  • 2 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!