Region Object Not Working in Security Policy

Region Object Not Working in Security Policy

35386
Created On 09/25/18 20:36 PM - Last Modified 06/01/23 08:45 AM


Symptom


Policy is configured to block traffic with source address 'CN,' yet policy never matches for traffic sourcing from CN region.

Cause


A custom object named 'CN' under Objects > Regions was created.

This causes the idmanager mapping to associate 'CN' with the custom region object instead of the predefined CN country address block.

 

To confirm association with custom region object, run the following command:

>debug device-server dump idmgr type vsys-region all

ID        Name

---------- --------------------

1024      vsys1+CN

Type: 35 Last id: 1025

Resolution


Reset the idmanager mapping for the region objects to clear this association, then run a force commit with the following commands:

  • >debug device-server reset id-manager type vsys-region
  • vsys-region ID manager is unset! Please commit the config again.
  • # commit force

 

To confirm that the old mapping is no longer there, run the following command again and make sure the region object no longer shows in the output.

  • >debug device-server dump idmgr type vsys-region all

 

owner: achitwadgi
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClicCAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language