Error:
An unexpected error occurred. Please click Reload to try again.
Error:
An unexpected error occurred. Please click Reload to try again.
Region Object Not Working in Security Policy - Knowledge Base - Palo Alto Networks

Region Object Not Working in Security Policy

38906
Created On 09/25/18 20:36 PM - Last Modified 06/01/23 08:45 AM


Symptom


Policy is configured to block traffic with source address 'CN,' yet policy never matches for traffic sourcing from CN region.

Cause


A custom object named 'CN' under Objects > Regions was created.

This causes the idmanager mapping to associate 'CN' with the custom region object instead of the predefined CN country address block.

 

To confirm association with custom region object, run the following command:

>debug device-server dump idmgr type vsys-region all

ID        Name

---------- --------------------

1024      vsys1+CN

Type: 35 Last id: 1025



Resolution


Reset the idmanager mapping for the region objects to clear this association, then run a force commit with the following commands:

  • >debug device-server reset id-manager type vsys-region
  • vsys-region ID manager is unset! Please commit the config again.
  • # commit force

 

To confirm that the old mapping is no longer there, run the following command again and make sure the region object no longer shows in the output.

  • >debug device-server dump idmgr type vsys-region all

 

owner: achitwadgi



Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClicCAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language