Upgrade failed due to "Panorama-pushed-rules-don't-have-UUID-for-the-following-vsys
10059
Created On 01/26/22 01:34 AM - Last Modified 04/27/22 03:33 AM
Symptom
The following error is observed when an upgrade from PAN-OS version 8.1.x to 9.0.x is performed.
Failed to install 9.0.0 with the following errors.
SW version is 9.0.0
Error: Panorama pushed rules don't have UUID for the following vsys: ['vsys1']. Please push config from 9.0 Panorama before upgrade
Failed to install version 9.0.0 type panos
Environment
PAN-OS 8.1.x
Cause
The vsys which is displayed in the error might not be pushed via the Panorama earlier which can lead to the issue.
Resolution
Create a new device group on Panorama ( an unused one ) and associate the device group to the firewall ( vsys which is failing ). Make sure that the Parent device group is set to "shared" so that only configuration pertained to the shared device group is pushed to the vsys. After the vsys is added to the unused device group perform a commit on Panorama to the firewall which is failing to upgrade. The vsys will now obtain a UUID where you should be now able to upgrade without any issues.
After the UUID is obtained you an re-associate the firewall back to the old device group and commit it to Panorama and then push the change to it's managed devices.