Firewall CLI command to override Panorama-pushed template elements

• Panorama-pushed configurations cannot be changed directly from the managed firewall CLI.

• Panorama-pushed permitted-ip configuration is seen on Firewall
• Using the command "set deviceconfig system permitted-ip x.x.x.x"  on firewall CLI causes error message

> configure
# set deviceconfig system permitted-ip x.y.z.q/m
Server error : set failed, may need to override template object permitted-ip first

Note: Replace x.y.z.q/m with the IP address configured in your network for the firewall.

• Palo Alto Firewall.
• Panorama pushed configuration
• PAN-OS 9.1, 10.0

• Override command is only for overriding template pushed elements and not device groups.
• Override command can be used to override only certain template pushed elements. To check what elements can be overriden, inside of the CLI press "?" or TAB after each keyword:

# override <tab>
  captive-portal              captive-portal
  deviceconfig                deviceconfig
  dns-proxy                   Assign DNS proxy parameters
  global-protect              GlobalProtect
  group-mapping               group-mapping
  network                     network configuration
  shared                      shared
  ts-agent                    ts-agent
  url-admin-override          url-admin-override
  url-content-type            url-content-type
  user-id-agent               user-id-agent
  user-id-agent-sequence      user-id-agent-sequence
  user-id-collector           user-id-collector
  vm-info-source              vm-info-source
  zone                        zone