Changes made to permitted IP address list on Panorama do not take effect.

Changes made to permitted IP address list on Panorama do not take effect.

5041
Created On 06/30/21 08:40 AM - Last Modified 06/26/25 21:01 PM


Symptom


When updating the permitted IP address list on a Panorama non management interface, the configuration looks to be applied however the permit list changes do not take effect.

Environment


  • Any Panorama
  • PANOS: 9.0, 9.1, 10.0

Cause


This is seen if the permitted IP address list is changed on a non management interface (e.g. ethernet1/1) and only a commit to Panorama is done.

Resolution


For the change to be successfully applied, a push to the Collector Group must also be done after a local Panorama commit.

Additional Information


As this only affects the non management interfaces this typically affects log collection using the additional interfaces on Panorama.
When viewing the configuration it does look like the change has been applied however the sdb variable has not been updated as shown by the following CLI output:
  
> show system state filter cfg.net.s0.eth*.acl

Example output after also adding 10.1.1.0/24 to ethernet1/1: 
cfg.net.s0.eth0.acl: { 'peers': [ 10.1.1.0/24, ], 'services': [ ssh, https, pan-panorama, pan-dlsrvr, snmp, snmptrap, ping, icmp, ], 'v6peers': [ ], }
cfg.net.s0.eth1.acl: { 'peers': [ ], 'services': [ icmp, ping, pan-dlsrvr, ], 'v6peers': [ ], }          <--- ethernet1 does not have any peers.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000001VkQCAU&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language