Created On 09/25/18 19:30 PM - Last Modified 08/05/19 20:11 PM
Palo Alto Networks firewalls being deployed on AWS and managed by Panorama.
After performing the following steps, the commit fails as a result of an invalid reference to the cert from templates for the decryption policy in DG (Device Group). Cross-references between DG and template are based on common devices being present in both. If changes are made, then commit is expected to fail. At least one device needs to be common.
Note: The firewalls are auto-scaled on an as-needed basis, so they may end up deleting all instances of firewalls at a single point of time.
Add a few firewalls to device group and template, configured a bunch of policies: NAT rules and decryption policy referencing a certificate from a Template.
Commits the changes and pushes them to the devices. Works fine.
Later, due to the auto-scaling all the devices from the device group and template are deleted, after which the user cannot commit to Panorama due to an invalid reference to the cert from Templates for the Decryption policy in DG (Device Group).
Cross-references between DG and template are based on common devices being present in both. If changes are made such that there are no common devices, then commit is expected to fail. At least one device needs to be common in both configs.
We recommend that you create a dummy device in the device group or always have a single firewall instance running, in order to avoid the commit error.