Commit Error: "default->protocol->bgp-> redist-rules is invalid" After Upgrading Firewall from PAN-OS 8.1 to 9.0.
10865
Created On 04/23/20 00:38 AM - Last Modified 03/18/22 19:31 PM
Symptom
- Updated PAN-OS from 8.1 to 9.0
- Trying to Commit gives Error: "default->protocol->bgp-> redist-rules is invalid"
- Error messages are also seen in ms.log which are shown below
2020-04-21 17:20:25.624 -0500 Error: pan_schema_verify_attr(pan_schema_obj.c:5117): attribute name breaks schema at line 3190 2020-04-21 17:20:25.624 -0500 Error: _pan_schema_verify_node(pan_schema_obj.c:6644): is invalid , node: redist-rules near line 3189 2020-04-21 17:20:25.629 -0500 Error: pan_cfg_verify_ex(pan_cfg_commit_handler.c:2338): invalid configuration. Schema verification failed.
Note: The same configuration was working fine in PAN-OS 8.1.x
Environment
- PAN-OS 9.0.x
- Palo Alto Firewall.
- Multiple BGP redistribution profiles configured
Cause
BGP redistribution profile names were same for both IPv4 and IPv6. Changes have been implemented in PAN-OS 9.0 to avoid duplicate names. This causes the validation failure.
Resolution
Create unique redistribution profiles for IPv4 and IPv6.
- Network>Virtual Routers> Select the Virtual Router
- Select Tab - Redistribution Profile>IPv4 or IPv6
- Rename either the IPv4 or IPv6 redistribution profile so they are not the same.
- In the example shown below, Redistribution Profile IPv4 is named as "rts-stat-connect"" and Redistribution Profile IPv6 is named as "rts6-stat-connect" which is unique.