Commit failure: Service is invalid. 'any' should not be used with another service
5338
Created On 04/29/22 07:49 AM - Last Modified 12/06/22 00:01 AM
Symptom
- Commit/Autocommit fails with the following error after upgrade to 9.1.10 and above.
Commit Error:
vsys-> vsys2 -> rulebase -> security -> rules -> Rulename -> service is invalid. 'any' should not be used with another service'
vsys-> vsys2 -> rulebase -> security -> rules -> Rulename -> service is invalid.
- In the GUI, Security Policy rules, the service column does not display configured services, but "any" is seen selected under drop down selection.
- The CLI displays "any" with the configured services. An example of "any" and "service-http" is shown below.
>set cli config-output-format set
#configure
#show | match "Trust-to-Untrust"
set rulebase security rules Trust-to-Untrust to L3-Untrust
set rulebase security rules Trust-to-Untrust from L3-Trust
.....
set rulebase security rules Trust-to-Untrust action allow
set rulebase security rules Trust-to-Untrust service [ any service-http]
- Deleting the service using CLI displays error
admin@Lab80-132-PA-VM# delete rulebase security rules Trust-to-Untrust service service-http
Object doesn't exist
Environment
- Palo Alto Firewalls
- PAN-OS Upgrade to 9.1.10 and above.
- Security Policy configured with "services" and 'any'.
Cause
Behaviour change in 9.1.10
Resolution
1. In the GUI, add specific service and ensure "any" is not displayed anymore. An example is displayed below.
GUI: Policies > Security > (rule name) > Service/URL Category
- Verify the same from CLI, the "any" will not be displayed anymore
> configure
# show | match "Trust-to-Untrust"
|snip|
set rulebase security rules Trust-to-Untrust service service-http
# exit
3. From GUI, now remove the specific service and add any.
- CLI now displays service as "any"
#show | match "Trust-to-Untrust"
|snip|
set rulebase security rules Trust-to-Untrust service any
- Commit the configuration. The commit will be successful if no other rules have the same issue.
- If other rules have the same issue, Perform the same steps to fix all the rules.
Additional Information
5 Dec 22 (Vijay) - Article updated and published external.