Unable to Delete Shared Service Object When Vsys Object with Duplicate Name is Used in Policy

Unable to Delete Shared Service Object When Vsys Object with Duplicate Name is Used in Policy

22109
Created On 09/26/18 20:33 PM - Last Modified 06/08/23 05:39 AM


Resolution


Overview

The Palo Alto Networks device permits the use of duplicate Shared Service Object names if applied in a different vsys.

For example, the screenshot below shows:

  • HTTP (TCP port 8080,shared Object)
  • HTTP (TCP port 888,vsys Object)

service_objects.PNG

 

Issue

The vsys Service Object has higher precedence than the shared one. The Vsys object overrides it in a specific vsys.

However, when an attempt is made to delete the duplicated Shared Service Object name in a rule (in which same name vsys Sevice Object is set), the error below appears:

         1- Failed to delete Service - HTTP

  • HTTP cannot be deleted because of references from:
  • vsys -> vsys1 -> rulebase -> security -> rules -> [policy name] -> service

delete_shared_object.PNG

 

Resolution

  1. Remove the service object from the security policy which uses it.
  2. Delete the object.
  3. Add the shared one back into the policy.

 

See Also

Address/Address Group Objects Must Have Different Names

 

owner: tshimizu
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm5ICAS&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language