Commit warning for GlobalProtect App Dynamic Configuration missing information for 'enforce-dns'

Commit warning for GlobalProtect App Dynamic Configuration missing information for 'enforce-dns'

6989
Created On 02/14/19 23:10 PM - Last Modified 10/31/19 03:25 AM


Symptom


Getting warning when performing a commit on panorama that states, "GlobalProtect App Dynamic Configuration misses information for 'enforce-dns'."  

Commit Error Message: 
Config 'Associate-VPN': 
. GlobalProtect App Dynamic Configuration misses informaion for 'enforce-dns'. 
. Config 'VPN-A': 
. GlobalProtect App Dynamic Configuration misses informaion for 'enforce-dns'. 
. Config 'VPN-B': 
. GlobalProtect App Dynamic Configuration misses informaion for 'enforce-dns'. 
. (Module: sslvpn) 
. Commit failed

Environment


  • Panorama 8.0 and above.
  • Palo Alto Firewall using PAN-OS 7.0.x or 7.1.x.

Cause


The configuration option is not in the GUI and can be found in the merged device configuration. Firewall on 7.x is not recognizing the "enforce-dns" option.

Partial output of techsupport/opt/pancfg/mgmt/saved-configs file:  
...
          <dns-setting>
          </dns-setting>
                <dns-server>
                </dns-server>
                <dns-suffix>
                </dns-suffix>
                          <entry name="enforce-dns">
                          <entry name="flush-dns">
                          <entry name="enforce-dns">
                          <entry name="flush-dns">
                          <entry name="enforce-dns">
                          <entry name="flush-dns">
               ...

Resolution


Upgrade the Firewall to 8.x version to resolve the issue.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CmqZCAS&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail