Failed to Commit with Error: "Error: Invalid service default\any combination" after upgrading PAN-OS to 9.1.10 or 10.0.2 or higher

Failed to Commit with Error: "Error: Invalid service default\any combination" after upgrading PAN-OS to 9.1.10 or 10.0.2 or higher

11324
Created On 10/25/21 15:28 PM - Last Modified 08/05/22 07:22 AM


Symptom


  • Commit failure during PAN-OS upgrade:
"Error: Invalid service default\any combination
Error: Failed to parse security policy"

Devsrvr logs:
2021-09-23 20:02:24.418 +0000 Error: pan_policy_parse_core_columns(pan_config_parser.c:10836): pan_policy_parse_service('Rule ID Test') failed 
2021-09-23 20:02:24.418 +0000 Error: pan_app_policy_from_obj(pan_config_parser.c:12134): pan_policy_parse_core_columns('Rule ID Test') failed
2021-09-23 20:02:24.419 +0000 Error: pan_rulebase_from_obj(pan_config_parser.c:17509): Failed to parse security policy
2021-09-23 20:02:24.419 +0000 Error: pan_vsys_from_obj(pan_config_parser.c:24410): pan_rulebases_from_obj failed
2021-09-23 20:02:24.420 +0000 Error: pan_config_from_obj(pan_config_parser.c:25574): pan_vsyses_from_obj failed
2021-09-23 20:02:24.482 +0000 Error: pan_ctrl_save_config(pan_config_handler_sysd.c:2085): Error compiling config
<<Rule ID Test (vsys1)>>
Error: Invalid service default\any combination
Error: Failed to parse security policy
<</Rule ID Test (vsys1)>>


 

Environment


  • Auto-commit failure happened after upgrading PAN-OS to 9.1.10 and 10.0.2 or higher

Cause


This is related to PAN-151679: Fixed an issue where it was possible via the CLI to create a Security policy rule with the any and application-default options simultaneously configured.
After applying the fix, PAN-OS won't accept to configure both "any" and "application-default" options simultaneously. That's why auto-commit failure will be happened after upgrading PAN-OS to 9.1.10 (or above) due to configured such misconfiguration on previous version PAN-OS.

Resolution


If you meet this issue, please check and reconfigure your security policies as follow:
  1. From the GUI: Policies>Security
  2. Edit the Security Policy rule failing (example above "Rule ID Test")
  3. Navigate to Service/URL Category
  4. Set "Any" or "Application-default" option under Service
  5. Commit

Additional Information
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000004M5WCAU&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language