Commit and push fail with "Local configured IP list is out of sync with cloud configured IP list".
8800
Created On 05/23/24 03:00 AM - Last Modified 07/19/25 03:13 AM
Symptom
When you commit and push to Prisma Access from Panorama, the commit will fail and you will see the following error on Panorama.
Partial changes to commit: changes to configuration by administrators: Snc_admin Changes to shared configuration Changes to device-group configuration:
(Remote_Network_Device_Group) (Mobile_User_Device_Group) Local configured IP list is out of sync with cloud configured IP list!
Please execute 'request plugins cloud_services prisma-access get-ip-allowlist-addresses' command to complete the configuration.
Failed plugin validationEnvironment
- Panorama Managed Prisma Access
- Commit
Cause
- This is a part of the documented allowlist workflow whenever IP addresses change in the backend.
- When a location is added or Prisma Access adds IP addresses due to autoscale event, the following needs to be done:
- Refresh the page that contains the Egress IP Allow List table
- Modify the Allow List and the new IP addresses to the organization’s allow lists,
- Commit and Push your changes
- Allow Listing GlobalProtect Mobile Users.
Resolution
- Refresh the page that contains the Egress IP Allow List table in Panorama before Commit and Push.
- The issue can be resolved by executing the following commands in Panorama Command Line Interface (CLI).
> request plugins cloud_services prisma-access get-ip-allowlist-addresses service-type gpaas > configure # commit force # exit
For multitenant deployments, execute the following command> request plugins cloud_services prisma-access multi-tenant get-ip-allowlist-addresses service-type gpaas tenant-name <multi-tenant-name> > configure # commit force # exit
Note: Any one of the above methods (Either 1 or 2_ will resolve the issue.