Commit fails with error 'panorama -> log-settings -> threat unexpected here' after switching mode from legacy to Panorama mode

Commit fails with error 'panorama -> log-settings -> threat unexpected here' after switching mode from legacy to Panorama mode

1582
Created On 02/25/20 05:45 AM - Last Modified 06/13/25 18:37 PM


Symptom


Validation error during a commit or validation attempt after converting to Panorama mode
  • Validation fails with panorama -> log-settings -> threat unexpected here error message because Threat  is no more a configuration-option under Panorama > Log-settings once you are in Panorama mode.
  • In Legacy mode, Panorama has configuration options under Log Settings for Threat.

Environment


  • ANY PAN-OS
  • VM Panorama in Panorama mode  

Cause


  • After converting Panorama from legacy to Panorama mode, unable to commit anymore due to error 'panorama -> log-settings ->  threat unexpected here panorama -> log-settings is invalid  '.
         Detail of the error messages is as below:
  
Can't commit changes to Panorama.
Validation Error
panorama -> log-settings -> threat unexpected here
panorama -> log-settings is invalid

Resolution


In order to fix the commit-failure follow the following steps:
  • Export Candidate configuration from Panorama > Setup > Operations > Export named Panorama Configuration snapshot and save the file to your machine
  • Use Notepad++ or XML Editor to edit the exported candidate configuration and remove below entries those are marked as red.
  • From Panorama GUI (setup -> operations) import then load your custom Panorama candidate-config.
  • Validate/Commit any changes and commit should be successful 
  
<panorama>
    <log-settings>
    ...
      <correlation>
        <match-list>
          <entry name="correlation-high">
            <filter>(severity eq high)</filter>
          </entry>
          <entry name="correlation-critical">
            <filter>(severity eq critical)</filter>
          </entry>
        </match-list>
      </correlation>
      <threat>
        <match-list>
          <entry name="panorama-threat-critical">
            <filter>(severity eq critical)</filter>
          </entry>
        </match-list>
      </threat>
      <data>
        <match-list>
          <entry name="panorama-data-critical">
            <filter>(severity eq critical)</filter>
          </entry>
        </match-list>
      </data>
    </log-settings>

 

Additional Information


​​​​​Note: If you want to forward logs for categories threat, Data or Correlation, you need to set the Forward Method under Collector Group > Collector Log Forwarding > Threat 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000POoSCAW&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail