Error:
An unexpected error occurred. Please click Reload to try again.
Error:
An unexpected error occurred. Please click Reload to try again.
Commit failure: Service is invalid. 'any' should not be used wi... - Knowledge Base - Palo Alto Networks

Commit failure: Service is invalid. 'any' should not be used with another service

5338
Created On 04/29/22 07:49 AM - Last Modified 12/06/22 00:01 AM


Symptom


  • Commit/Autocommit fails with the following error after upgrade to 9.1.10 and above.
Commit Error:
vsys-> vsys2 -> rulebase -> security -> rules -> Rulename -> service is invalid. 'any' should not be used with another service'
vsys-> vsys2 -> rulebase -> security -> rules -> Rulename -> service is invalid.
  • In the GUI, Security Policy rules, the service column does not display configured services, but "any" is seen selected under drop down selection.
Security Policy
  • The CLI displays "any" with the configured services. An example of "any" and "service-http" is shown below.
>set cli config-output-format set
#configure
#show | match "Trust-to-Untrust"
set rulebase security rules Trust-to-Untrust to L3-Untrust
set rulebase security rules Trust-to-Untrust from L3-Trust
.....
set rulebase security rules Trust-to-Untrust action allow
set rulebase security rules Trust-to-Untrust service [ any service-http]
  • Deleting the service using CLI displays error
admin@Lab80-132-PA-VM# delete rulebase security rules Trust-to-Untrust service service-http
Object doesn't exist

 


Environment


  • Palo Alto Firewalls
  • PAN-OS Upgrade to 9.1.10 and above.
  • Security Policy configured with "services" and 'any'.


Cause


Behaviour change in 9.1.10 
 


Resolution


1. In the GUI, add specific service and ensure "any" is not displayed anymore. An example is displayed below. 
GUI: Policies > Security >  (rule name) > Service/URL Category
modified security policy rule
  1. Verify the same from CLI, the "any" will not be displayed anymore
> configure
# show | match "Trust-to-Untrust"
|snip|
set rulebase security rules Trust-to-Untrust service service-http
# exit

3. From GUI, now remove the specific service and add any. 
Service removed from security policy
  1. CLI now displays service as "any"
#show | match "Trust-to-Untrust"
|snip|
set rulebase security rules Trust-to-Untrust service any
  1. Commit the configuration. The commit will be successful if no other rules have the same issue.
  2. If other rules have the same issue, Perform the same steps to fix all the rules.


Additional Information


5 Dec 22 (Vijay) - Article updated and published external.

Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000004OQMCA2&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language