Commit Failure When adding new configuration due to Invalid Reference

Commit Failure When adding new configuration due to Invalid Reference

22620
Created On 10/27/20 20:40 PM - Last Modified 01/13/23 02:25 AM


Symptom


  • When Creating a new objects and committing partial changes the admin get the following error
Details:Partial changes to validate: changes to configuration by administrators: admin
Changes to shared configuration
Validation Error:
 shared -> pre-rulebase -> security -> rules -> Sec-Policy -> destination 'host_1.1.1.1' is not an allowed keyword
 shared -> pre-rulebase -> security -> rules -> Sec-Policy -> destination host_1.1.1.1 is an invalid ipv4/v6 address
 shared -> pre-rulebase -> security -> rules -> Sec-Policy -> destination 'host_1.1.1.1' is not a valid reference
 shared -> pre-rulebase -> security -> rules -> Sec-Policy -> destination is invalid
 shared -> pre-rulebase -> security -> rules is invalid
 shared -> pre-rulebase -> security is invalid
 shared -> pre-rulebase is invalid

 

Environment


  • Panorama 
  • PAN-OS  9.0.x

Cause


The issue occurs when an admin-A creates a new address and add it in a security policy which was created by another admin. Once admin-A tries to commit the partial changes the above error is seen.
This is expected behavior. We have to commit the config owned by other admin as the same partial commit if they have dependency. In this case, the owner of those address/address-groups is user: admin-A, and not touched by admin. 

This can also be confirmed if we run the below CLI command
 

admin-a> show config list changes partial admin admin-a
xpath: /config/shared/address/entry[@name='host_1.1.1.1']
owner: admin-a   <-- Admin-a owns the address object created.
action:  CREATE
other admins:admin-a
dirty id:8
prev dirty id:0

admin-b@Lab35-103-M-500> show config list changes partial admin admin

xpath: /config/shared/pre-rulebase/security/rules/entry[@name='Sec-Policy']
owner: admin  < -- Default "admin" owns the security policy
action:  EDIT
other admins:admin
dirty id:8
prev dirty id:0

Below command can show the summary of changes and the owner.

admin-a@Lab35-103-M-500> show config list changes

xpath: /config/shared/pre-rulebase/security/rules/entry[@name='Sec-Policy']
owner: admin
action:  EDIT
other admins:admin
dirty id:8
prev dirty id:0

xpath: /config/shared/address/entry[@name='host_1.1.1.1']
owner: admin-a
action:  CREATE
other admins:admin-a
dirty id:8
prev dirty id:0

 

 

Resolution


Perform a Full Commit rather than partial commit. 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HBLuCAO&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language