'hip -profiles is a duplicate node' 附加时的错误HIP安全规则的配置文件
12365
Created On 07/19/21 19:46 PM - Last Modified 05/17/23 03:28 AM
Symptom
- 当附加一个HIP配置文件到安全策略,用户可能会遇到错误: 'hip -profiles 是一个重复的节点'
- 提交/推送到设备也会导致提交错误。
Environment
- PAN-OS 10.0 或更新版本
- Panorama 用来推HIP配置文件到防火墙
Cause
HIP 命令语法已更改为PAN-OS10.0 代码。
Resolution
- 来自PanoramaCLI,将配置输出格式更改为“设置”符号,以便您可以轻松比较配置:
panorama> set cli config-output-format set
- 进入配置shell:
panorama> configure
- 在运行配置中搜索“hip -个人资料':
panorama# show | match hip-profiles set device-group My_Device_Group pre-rulebase security rules "trust-to-untrust" hip-profiles any set device-group My_Device_Group pre-rulebase security rules "dmz-to-untrust" hip-profiles any
- 在上面的例子中有两个配置项hip-需要删除的配置文件。 删除它们:
panorama# delete device-group My_Device_Group pre-rulebase security rules "trust-to-untrust" hip-profiles any panorama# delete device-group My_Device_Group pre-rulebase security rules "dmz-to-untrust" hip-profiles any
- 用更新的语法替换已删除的配置:
panorama# set device-group My_Device_Group pre-rulebase security rules "trust-to-untrust" source-hip any panorama# set device-group My_Device_Group pre-rulebase security rules "dmz-to-untrust" source-hip any
- 提交并推送 Panorama
Additional Information
旧命令:
set device-group <device-group-name> post-rulebase security rules <security-rule-name> hip-profiles <HIP-profile-name>
新命令:
set device-group <device-group-name> post-rulebase security rules <security-rule-name> source-hip <HIP-profile-name>
笔记: 'hip -个人资料'关键字已更改为'来源-hip ' 在CLI在 10.0PAN-OS版本。