We have a handful of standalone PAs that we want to import into Panorama. However in our first interation it failed with the following errors and I am not sure why. The entire process isn't made clear to me either via PA (like a lot of their stuff but I digress) so I was wondering if anyone has done this and can help point me in the right direction? Commit/validation fails on the following items on the firewall after import/export back to it from the Panorama: Validation Error:
log-settings -> profiles -> Forward to Panorama and Email -> match-list -> test-Alerts -> send-email 'Test Alerts' is not a valid reference
log-settings -> profiles -> Forward to Panorama and Email -> match-list -> test-Alerts -> send-email is invalid
log-settings -> profiles -> Forward to Panorama and Email -> match-list is invalid
log-settings -> profiles is invalid
log-settings is invalid
shared is invalid
rulebase -> security -> rules -> outbound-block-all -> from 'trust' is not an allowed keyword
rulebase -> security -> rules -> outbound-block-all -> from 'trust' is not a valid reference
rulebase -> security -> rules -> outbound-block-all -> from is invalid
rulebase -> security -> rules -> outbound-block-all -> to 'untrust' is not an allowed keyword
rulebase -> security -> rules -> outbound-block-all -> to 'untrust' is not a valid reference
rulebase -> security -> rules -> outbound-block-all -> to is invalid
rulebase -> security -> rules -> untrust-block-all -> from 'untrust' is not an allowed keyword
rulebase -> security -> rules -> untrust-block-all -> from 'untrust' is not a valid reference
rulebase -> security -> rules -> untrust-block-all -> from is invalid
rulebase -> security -> rules is invalid
rulebase -> security is invalid
rulebase is invalid
vsys is invalid
devices is invalid
In VSYS vsys1 from zone trust of type unknown and to zone untrust of type unknown are incompatible in security rule outbound-block-all
Configuration is invalid 2 errors when trying to do this, both of which appear to be originating from the PAN > FW. The first one is a log setting on the 'outbound-block-all' rule on the PAN. That specific log settings doesn't exist on the FW. Again same rule that is already on the PAN in 'Post Rules,' its shared between all of our existing DGs on the PAN. The only difference between the zones on the FW and the PAN is the first letter is capitalized which I assume is why it chokes? I changed the zone names to match on the FW but not sure what to do about the log/email settings? Also not sure why its complaining about 'shared' as well.
... View more