Wenn in den NAT oder PBF Regeln eines gemeinsam genutzten Gateways ein gemeinsames Objekt verwendet wird, schlägt der Import in Panorama fehl.

Wenn in den NAT oder PBF Regeln eines gemeinsam genutzten Gateways ein gemeinsames Objekt verwendet wird, schlägt der Import in Panorama fehl.

1194
Created On 11/11/24 02:40 AM - Last Modified 10/21/25 22:33 PM


Symptom



1. Login to Panorama Web UI
2. Import a managed firewall configuration (with Shared Gateways settings) into Panorama by clicking "Import device configuration to Panorama" under PANORAMA > Setup > Operations
3. Select a managed firewall and click ?OK?
4. Confirm that the Job Status has been Completed
5. Try to perform Commit operation but it fails with the error messages below.

Error messages displayed:

Validation Error:
    devices -> localhost.localdomain -> template-stack -> PA-3420_stack -> config -> devices -> localhost.localdomain -> network -> shared-gateway -> sg1 -> rulebase -> nat -> rules -> testnat-1 -> destination-translation is missing 'translated-address'
    devices -> localhost.localdomain -> template-stack -> PA-3420_stack -> config -> devices -> localhost.localdomain -> network -> shared-gateway -> sg1 -> rulebase -> nat -> rules -> testnat-1 -> destination-translation is invalid
    devices -> localhost.localdomain -> template -> PA-3420 -> config -> devices -> localhost.localdomain -> network -> shared-gateway -> sg1 -> rulebase -> nat -> rules -> testnat2-1 -> source array cannnot be empty
    devices -> localhost.localdomain -> template -> PA-3420 -> config -> devices -> localhost.localdomain -> network -> shared-gateway -> sg1 -> rulebase -> nat -> rules -> testnat2-1 -> source is invalid

Environment


  • Firewall der nächsten Generation der PA-Serie
  • Panorama
  • PAN-OS 10.2/11.1/11.2

Cause


Die Einstellungen für das gemeinsame Gateway fehlen.

FW-Konfiguration:

set network shared-gateway sg1 rulebase nat rules testnat-1 destination-translation translated-address objshared1 <<<<<<<< shared object
set network shared-gateway sg1 rulebase nat rules testnat-2 source objshared2 <<<<<<<< shared object

Panorama-Konfiguration:

The following settings is missing:
"set template PA-3420 config network shared-gateway sg1 rulebase nat rules testnat-1 destination-translation translated-address objshared1"

Die Quell-IP-Informationen fehlen:

set template PA-3420 config network shared-gateway sg1 rulebase nat rules testnat-2 source <<<<<<<< "source objshared2" is missing.



Das gemeinsames Objekt von FW wurde importiert.


set shared address objshared1 ip-netmask 100.100.100.1
set shared address objshared2 ip-netmask 100.100.100.2 


 


Auf das gemeinsames Objekt kann jedoch nicht verwiesen werden.


The above settings are missed, resulting in a commit error.


admin@Panorama# set template PA-3420 config network shared-gateway sg1 rulebase nat rules testnat-1 destination-translation translated-address
  obj1 address obj1
  obj2 address obj2




              
Resolution

Die Workaround besteht darin, die FW so zu konfigurieren , dass in NAT und PBF -Regeln auf einem gemeinsam genutzten Gateway keine gemeinsam genutzten Objekte verwendet werden.


Wir untersuchen PAN-268032.


 


 




        
       
      





      

        
        
        

    

    

    

      

        
Other users also viewed:

        

             

               
              

        

    

        

        
        

          
Actions

          
    
           
            
            
            
  • 
                Print
            
    • 
            
  • 
            
    • 
            
  • 
              Copy Link
                
                
    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HERqCAO&lang=de&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail
    
            
    • 
          

        
 

        

         
        

          

            
Choose Language