The issue is because of the "device / hip profile" option for policies introduced in 10?. I just was not able to find this feature in the release notes... can s/o link it? Panorama knows this new kind of filter: But your firewall not. Even if you don't configure it but change smth in the policy, panorama will add a "hip-profiles any;" to the configuration. And the device, witch does not know about such a configuration option, somehow interprets this as "hip-profile is a duplicate node". However it also reports back "rules is invalid". I've no idea yet to fix it. I have do overwrite new changes on the firewall directly because I am not able to push this template from panorama. You can easily proove it by using a configuration previev. --edit we were able to work arround things. this issue seems just to effect for cloned rules. you can delete these lines from panoama cli before commiting to the firewalls.
... View more