Can't commit changes due to error message "Error: Profile compiler: cannot find tid 40006 in threat database."
22564
Created On 07/23/19 04:03 AM - Last Modified 07/31/19 01:29 AM
Symptom
When trying to commit, the following error appears:
Error: Profile compiler : can not find tid 40006 in threat database
Environment
- Can affect any PAN-OS release
- Firewall
- Panorama
Cause
Threat database ID 40006 is no longer supported due to out of supported dynamic content (Apps and Threat) range.
Resolution
To clear the commit error, the Vulnerability Profile associated to the threat-exception 40006 needs to be removed from the running configuration.
There are two ways to remove this threat exception:
Method 1 - GUI
- From the GUI, Objects > Security Profiles > Vulnerabilities Protection > [Name of Vulnerability Protection Profile] > Exceptions
- Search using the Global search tool to find the security profile associated to the 40006 vulnerability ID range
Method 2 - CLI
- From the CLI, change the configuration output to set format
admin@Lab64-96-PA-5060> set cli config-output-format set
- Go into configure mode and search for the Threat ID number
admin@Lab64-96-PA-5060> set cli config-output-format set admin@Lab64-96-PA-5060> configure Entering configuration mode [edit] admin@Lab64-96-PA-5060# show | match 40006
Example: set vsys vsys1 profiles vulnerability PortalZone threat-exception 40006 action default set vsys vsys1 profiles vulnerability PortalZone threat-exception 40006 time-attribute interval 60 set vsys vsys1 profiles vulnerability PortalZone threat-exception 40006 time-attribute threshold 100 set vsys vsys1 profiles vulnerability PortalZone threat-exception 40006 time-attribute track-by source-and-destination set vsys vsys1 profiles vulnerability CP_Internet threat-exception 40006 action default set vsys vsys1 profiles vulnerability CP_Internet threat-exception 40006 time-attribute interval 60 set vsys vsys1 profiles vulnerability CP_Internet threat-exception 40006 time-attribute threshold 100 set vsys vsys1 profiles vulnerability CP_Internet threat-exception 40006 time-attribute track-by source-and-destination set vsys vsys1 profiles vulnerability CP_Internet threat-exception 40006 exempt-ip 10.189.201.4 set vsys vsys1 profiles vulnerability CP_Internet threat-exception 40006 exempt-ip 10.189.201.5 set vsys vsys1 profiles vulnerability CP_Internet threat-exception 40006 exempt-ip 10.249.200.115
- Delete the configuration from the CLI
[edit] admin@Lab64-96-PA-5060# delete vsys vsys1 profiles vulnerability PortalZone threat-exception 40006
Additional Information
For more information on supported threat ID ranges, see the document Threat ID Ranges in the Palo Alto Networks Content Database.