For the last few days, we have been trying to import firewalls into Panorama and have not been successful at it. Panorama firmware is 9.0.7 Palo Alto firmware: 8.1.13 Description of issue: During the importing process, I was able to extract the configs from PA firewall onto the Panorama. However, when I tried to commit the configs back to PA firewall from Panorama. The commit would fail, and the reason for the failure is because there’s missing IP addresses in ‘Objects’. Following is the commit error rulebase -> nat -> rules -> AESG-DNAT-P157-2 -> destination 'Host_13.55.26.51-32' is not an allowed keyword rulebase -> nat -> rules -> AESG-DNAT-P157-2 -> destination Host_13.55.26.51-32 is an invalid ipv4/v6 address rulebase -> nat -> rules -> AESG-DNAT-P157-2 -> destination Host_13.55.26.51-32 invalid range start IP rulebase -> nat -> rules -> AESG-DNAT-P157-2 -> destination 'Host_13.55.26.51-32' is not a valid reference rulebase -> nat -> rules -> AESG-DNAT-P157-2 -> destination is invalid Error: Failed to find address 'Host_13.55.26.51-32' Error: Unknown address 'Host_13.55.26.51-32' Error: Failed to parse nat policy (Module: device) Config 'AGENT-CONFIG': GlobalProtect App Dynamic Configuration misses information for 'show-system-tray-notifications'. (Module: sslvpn) Commit failed it seems like the problem is with the missing objects during the importing process. As an example, the total amount of addresses on the firewall is 490. However, we can only see 460 after the configs have been copied over from Panorama to the firewall. We have also tried adding Host_13.55.26.51-32' manually to panorama as a shared object but still cannot commit we did upgrade our Panorama firmware recently from 9.0.4 --- > 9.0.7. And our firewall firmware from 8.0.13 -> 8.1.13
... View more