Preview changes during the commit operation displays address and service objects being removed when it should not.

Preview changes during the commit operation displays address and service objects being removed when it should not.

12121
Created On 02/28/19 02:17 AM - Last Modified 01/16/21 03:23 AM


Symptom


  • Panorama is managing few connected firewalls.
  • Firewall policy is disabled on panorama prior these changes are pushed to firewalls.
  • When "preview changes" is done on Panorama , it displays deletion of objects / services etc which are not a part of this change.

Environment


  • Any Panorama.
  • Managed Palo Alto Firewalls.
  • PAN-OS 7.1 and above.

Cause


On the GUI of Panorama, there is a setting called "Share Unused Address and Service Objects with Devices" under Panorama settings.

GUI: Panorama > Setup > Management > Panorama Settings
User-added image
  • If the setting is enabled (checked), then the objects in the shared policy of panorama will be pushed to the firewalls even when they are not used.
  • If the setting is disabled (unchecked), then these objects in shared policy of panorama will not be pushed to firewalls unless they are used in a policy. 
When unchecking the above setting, the corresponding shared objects will be removed on firewalls.

Resolution


On the GUI of Panorama,  
  • Enable (check) the setting if the shared objects need to be pushed to Firewalls.
  • Disable (uncheck) the setting if the shared objects do not need to be pushed to firewalls.
  The unchecked setting will remove objects, if the policy using these objects are removed or disabled on Panorama.

Additional Information


Panorama Administrator's Guide, Manage Unused Shared Objects


 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000boDUCAY&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language