'hip-profiles is a duplicate node' error when attaching HIP Profiles to Security Rules
12153
Created On 07/19/21 19:46 PM - Last Modified 10/25/21 23:29 PM
Symptom
- When attaching a HIP Profile to security policies, the user may encounter an error: 'hip-profiles is a duplicate node'
- Committing/pushing to devices also results in commit errors.
Environment
- PAN-OS 10.0 or newer
- Panorama used to push HIP profiles to firewalls
Cause
HIP command syntax has changed for PAN-OS 10.0 code.
Resolution
- From the Panorama CLI, change the config-output-format to 'set' notation so you can easily compare the configurations:
panorama> set cli config-output-format set
- Enter the configuration shell:
panorama> configure
- Search the running configuration for 'hip-profiles':
panorama# show | match hip-profiles set device-group My_Device_Group pre-rulebase security rules "trust-to-untrust" hip-profiles any set device-group My_Device_Group pre-rulebase security rules "dmz-to-untrust" hip-profiles any
- In the example above there were two configuration items with hip-profiles which needed to be deleted. Delete them:
panorama# delete device-group My_Device_Group pre-rulebase security rules "trust-to-untrust" hip-profiles any panorama# delete device-group My_Device_Group pre-rulebase security rules "dmz-to-untrust" hip-profiles any
- Replace the deleted configuration with the newer syntax:
panorama# set device-group My_Device_Group pre-rulebase security rules "trust-to-untrust" source-hip any panorama# set device-group My_Device_Group pre-rulebase security rules "dmz-to-untrust" source-hip any
- Commit and push from Panorama
Additional Information
Old command:
set device-group <device-group-name> post-rulebase security rules <security-rule-name> hip-profiles <HIP-profile-name>
New command:
set device-group <device-group-name> post-rulebase security rules <security-rule-name> source-hip <HIP-profile-name>
Note: 'hip-profiles' keyword has changed to 'source-hip' in CLI on 10.0 PAN-OS version.