Selective config push from panorama to the firewall removed/reverted configuration done by another admin
8624
Created On 05/29/24 21:27 PM - Last Modified 08/30/24 03:15 AM
Symptom
A selective DG push from Panorama removed or reverted another configuration pushed by another admin.
Environment
- Panorama managed Firewalls
- Supported PAN-OS
- Template (TPL) and Device Groups (DGs)
- Selective push
Cause
- The details are explained using an example.
- Panorama has device groups, TEST1-DG, TEST2-DG, and TEST3-DG.
- Configuration is updated and pushed by admin1 to TEST1-DG and TEST2-DG. Here the last in-sync version is modified for these device groups.
- Since changes are not done to TEST3-DG it retains its old last in-sync version.
- This last in-sync version of TEST3-DG is treated as the base version.
- When another admin (say admin2) does a change and pushes the change to all three DGs, the base config is set from TEST3-DG and the new changes are applied to all the three Device Groups.
- In this case the changes done on TEST1-DG and TEST2-DG are overwritten by the new push.
Resolution
- The issue is resolved under in PAN-OS versions 10.2.11, 11.1.5 ,11.2.3 and higher versions.
- This issue is not documented in the release notes because the defect was was found internally.
- Upgrade to the above versions will resolve the issue.
Workaround:
- Confirm that all DGs/TPL are in sync before making a selective push OR
- Perform a full push first, get the DGs and Templates in sync.
- Then Then proceed to make a selective push.