Shared Dynamic Address Group Objects that use tags to populate the members are empty on managed firewalls after Panorama device group push.

Shared Dynamic Address Group Objects that use tags to populate the members are empty on managed firewalls after Panorama device group push.

21791
Created On 12/16/21 16:06 PM - Last Modified 04/22/24 21:58 PM


Symptom


  • On Panorama there is confirmation that the Dynamic Address Group is populated
admin@panorama-01> show object dynamic-address-group name TAC-Test-DAG

        device group name:shared
        address group name:TAC-Test-DAG
                members: total 2
                        TAC-Address-1 (O)
                        TAC-Address-2 (O)

O: address object; R: registered ip; D: dynamic group; S: static group
  • After a config push to firewalls, on the firewall the DAG shows as empty
admin@lab-fwl-01(active-primary)> show object dynamic-address-group name TAC-Test-DAG

Dynamic address groups in vsys vsys1:
----------------------------------------------------
----------------defined in vsys --------------------
        TAC-Test-DAG
                filter: 'TAC-Test-TAG'
                members: total 0
O: address object; R: registered ip; D: dynamic group; S: static group

 

Environment


  • Panorama running PanOS versions 9.1.12, 9.1.12-h3,  and 10.1.4
  • Dynamic Address Group (DAG) Objects that use tags to dynamically populate the DAGs
  • The DAGs are referenced by rules in Device Groups
  • Share Unused Address and Service Objects with Devices  is disabled / unchecked
  • Full Panorama commit before a Device Group config push

Cause


Regression introduced by a previous code change to improve commit processing.

Resolution


Fix:
  1. For a permanent fix, upgrade Panorama to PAN-OS 9.1.12-h4 or 10.1.4-h1 and above.
Workaround:
  1. The workaround is to  make a small change to either shared policy/objects or a device-group-specific change and perform a partial commit right before the config push. Note that the issue is observed only with a full Panorama commit but not with a partial one. 
Example:
  • On Panorama create a dummy address and add it to the Dynamic Address Group TAC-Test-DAG by applying the correct tag.
  • Then  execute a partial commit and push the config to the firewalls. Finally, confirm that you can see the members of the DAG.
admin@panorama-01# commit partial device-and-network excluded

Commit job 3039 is in progress. Use Ctrl+C to return to command prompt
...13%..79%81%.......90%.....100%
Partial changes to commit: changes to configuration by all administrators

admin@lab-fwl-01(active-primary)> show object dynamic-address-group name TAC-Test-DAG
Dynamic address groups in vsys vsys1:
----------------------------------------------------
----------------defined in vsys --------------------
TAC-Test-DAG
filter: 'TAC-Test-TAG'
TAC-Address-1 (O)
TAC-Address-2 (O)
TAC-Address-3 (O)
TAC-Address-4 (O)

members: total 4
O: address object; R: registered ip; D: dynamic group; S: static group
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000004Ma0CAE&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language