Commit failure due to Error "negate cannot be yes for 'any' in source/destination" in a Security Policy
10682
Created On 06/09/22 02:58 AM - Last Modified 11/11/22 18:53 PM
Symptom
Commit failure due to negate combined with 'any' in source/destination.
. Error: negate cannot be yes for 'any' in source/destination . Error: Failed to parse security policy . (Module: device) . Commit failed
Environment
- Firewall
- Firewall managed by Panorama
Cause
Security Policy is configured with negate set to "yes" which is not allowed when "any" is configured in the source/destination. This configuration error can appear in any of the policies with the condition of 'negate' and 'any'.
- Security rules
- decryption policies
- NAT
- QOS policy
Resolution
- Find all Security Policies with 'any' in Source and Destination in it and see if it has 'negate' option enabled on it.
- Once you find the rule with negate and 'any', remove the negate option which in most cases are enabled by mistake.
- Another way to find the rule that is causing the issue, is to do "Preview Changes" to find the rule with negate-source yes and source any as mentioned in the picture below.
- If this is for configuration pushed from panorama, do a compare option before pushing the config and find the rule based on the difference with the existing and new config.
- Click Push to Devices > Edit selection > click on Preview Changes for the firewall to which we are trying to push.