Custom Region Name Overwriting Built-in Regions

Custom Region Name Overwriting Built-in Regions

19006
Created On 09/26/18 13:54 PM - Last Modified 06/13/23 13:44 PM


Resolution


Issue

Creating a custom region name which has the same name as a built-in region (CA, US, JP for example), and then deleting it, the built-in region can be used in policy but isn't applied and isn't visible in the dataplane running configuration.

Example:

  • A custom region named "CA" was created
  • The custom region was then deleted
  • A security rule is in place that uses the CA and US regions

Looking at the rulebase, both regions are visible as per below

#show rulebase security

rule2 { from trust;

to untrust;

source any;

destination [CA US];

When looking at the running security policy on the dataplane, the CA region isn't there:

> show running security-policy

rule2 {

from trust;

source any;

source-region any;

to untrust;

destination any;

destination-region [ US ]

Workaround

Resetting the region names to default will fix the issue. To do so, run the command: debug device-server reset id-manager type vsys-region via the CLI.

owner: yogihara
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClzgCAC&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language