Commit Failures Following PAN-OS v5.0.x Upgrade (Panorama Managed Device)
Following upgrade to PAN-OS v5.0.x, managed devices with locally configured Log Settings referencing PANORAMA PUSHED objects, i.e. 'SNMP Trap Server' object result in commit failures though autocommit will complete successfully following the upgrade.
Though shared profile exists on the appliance & Log Settings (i.e. Config Log configured to utilize Panorama Shared SNMP Trap Server), commits will fail referencing shared server object. Additionally, attempting to edit any of the available log settings and selecting the SNMP Trap drop-down menu will NOT populate Panorama pushed object (though existing config will still reference the now 'ghosted' object).
Panorama v4.1.x referencing a 'Shared' SNMP Trap Server Profile:
Managed Device, PAN-OS v4.1.x showing the 'Panorama Pushed' Server Profile:
Managed Device, PAN-OS v4.1.x configured utilizing the 'Panorama Pushed' Server Profile as an SNMP Trap server for local log settings:
Commits initiated from either Panorama (on PAN-OS v4.1.8) or locally on the device should be successful, i.e.:
Following upgrade of Panorama/PAN-OS v5.0.x, upon completion of the initial AutoCom of the appliance, subsequent commits now result in failure, with errors similar to the following:
Details: log-settings -> system -> informational -> send-snmptrap -> using-snmptrap-setting 'SNMP-Trap-Test' is_not_a_valid_reference
This is despite there being a SNMP Trap Server Profile (pushed from Panorama) available:
Editing the local Log Settings however & selecting the SNMP Trap drop-down for any of the severities WILL NOT populate the Panorama Pushed Server Profile, validating the previous error:
Due to the schema changes following the major release upgrade (which includes Panorama Template options, etc...), a Template push to the device will be required FIRST following the upgrade, followed by a Device Group push to assure Panorama<->Device synchronization.
From the Panorama Context, select the 'Commit' operation, then select Commit Type: Template (as well as associated device experiencing the commit failures):
Following successful Template Commit, Commit once more to the device, selecting Commit Type: Device Group which will now re-push shared objects/synchronize with the device:
Following final device group push (Commit Succeeded), managed device should now be in-sync:
Managed device should now have a Panorama Pushed/Synced Server Profile which will also be a selectable drop-down option via the local Log Settings:
Subsequent changes requiring either Panorama Pushed or Local Device initiated commits should now be successful: