Palo Alto Networks Knowledgebase: Region Object Not Working in Security Policy

Region Object Not Working in Security Policy

7088
Created On 02/08/19 00:03 AM - Last Updated 02/08/19 00:03 AM
VPNs
Resolution

Symptom

Policy is configured to block traffic with source address 'CN,' yet policy never matches for traffic sourcing from CN region.

 

Issue

A custom object named 'CN' under Objects > Regions was created.

This causes the idmanager mapping to associate 'CN' with the custom region object instead of the predefined CN country address block.

 

To confirm association with custom region object, run the following command:

>debug device-server dump idmgr type vsys-region all

ID        Name

---------- --------------------

1024      vsys1+CN

Type: 35 Last id: 1025

 

Resolution

Reset the idmanager mapping for the region objects to clear this association, then run a force commit with the following commands:

  • >debug device-server reset id-manager type vsys-region
  • vsys-region ID manager is unset! Please commit the config again.
  • # commit force

 

To confirm that the old mapping is no longer there, run the following command again and make sure the region object no longer shows in the output.

  • >debug device-server dump idmgr type vsys-region all

 

owner: achitwadgi



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClicCAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language