Cannot Change the Group ID of a HA Configuration from a Panorama Template

Cannot Change the Group ID of a HA Configuration from a Panorama Template

23139
Created On 09/26/18 13:55 PM - Last Modified 02/07/19 23:43 PM


Resolution


Issue

When changing the group ID of a HA configuration from a Panorama template, the following commit error occurs:

Mar 12 13:12:19 Error: pan_schema_verify_attribute(pan_schema_types.c:778):attr name failed to verify

Mar 12 13:12:19 Error: pan_schema_verify_attr(pan_schema_obj.c:3488): attribute name breaks schema at line 341

Mar 12 13:12:19 Error: pan_cfg_verify_ex(pan_cfg_commit_handler.c:999): invalid confgiuration. Schema verification failed.

Mar 12 13:12:19 <line><![CDATA[deviceconfig -> high-availability -> group -> 10 Constraints failed  : Only one HA Group ID allowed

Mar 12 13:12:19 Error: pan_jobmgr_process_job(pan_job_mgr.c:2914): error verifying commit candidate

Mar 12 13:12:22 Error: pan_cfg_md5sum_by_file(pan_cfg_utils.c:4998): file/opt/pancfg/mgmt/sp/vsys1/pretrans-sp-config.xml doesn't exist

Mar 12 13:12:22 Error:pan_cfg_sp_get_shared_policy_info(pan_cfg_shared_policy.c:1606): failed to get md5sum for file /opt/pancfg/mgmt/sp/vsys1/pretrans-sp-config.xml

 

Resolution :

 

Steps to be followed on the Managed Firewall :

 

  1. Log in to the device. Go to Device > Setup > Management. In the Panorama Settings widget, click on "Disable Network Template". In the popup, leave the checkbox blank (so as not to copy the template contents to the local space).
  2. Return to the same page and click on “Enable Network Template”.
    Note: The purpose of steps 1 and 2 are to temporarily free the template contents pushed from Panorama.
  3. Go to the High Availability (HA) setup page and set the group id to the desired new value (for example, 10).
    Note: Each HA group should have its own template so the HA group value is pushed to only that HA pair.

 

Steps to be followed on the Panorama :

 

 

  1. Change the template to have the new group ID and push it again to this device. This causes other template configurations to be recreated on the device. Step 1 caused the template objects to be lost.
  2. Make sure that the “Merge with candidate config” is checked, and perform a push just to this device.
  3. Now this device has group id 10 and also all the template objects are restored.

 

owner: kadak
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm0jCAC&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language