Hi all Panorama Users, Important to know is, that address groups are not valid in the exlcude section without a trick for devices managed by panorama. The issue is related to the usage of the address group in the exclude list. The exclude list is not one of the areas where Panorama considers the address group to be used. Therefore, it is expected for the push to fail if this group is not referenced elsewhere. When the option "Share Unused Address and Service Objects with Devices" under panorama settings is unselected, then the shared objects/group will not be sent to the device. As a result, the commit on the device will fail. To resolve this issue, you have two options: 1- Configure the Subnets directly on the exclude list.-> not prefered, because maintaining could be worse if you have multiple settings with that IPs 2- Configure the individual address objects on the exclude list. - If push fails, enable/check the "Share Unused Address and Service Objects with Devices”, then commit and push. Panorama > Setup > Management > Panorama Settings -> Depends on the box limit of Object count, if you can use this solution 3-prefered in my eyes: - Configure a dummy security rule in panorama to the bottom of the policy, where it will never be used, and add to this rule the address group. -> This forced the panorama to push the address group to the firewall - Commit and push. Only to the device group which is desired to use this address group in splittunneling. (Edit selection and choose the target device group, then push). - Check firewall and make sure the dummy rule is added successfully to the security policies. - Add the address group on GP gateway, in the Exclude area. - Commit to the panorama, then Commit and push, to the target template Stack. happy firewalling
... View more