If a shared object is used in the NAT or PBF rules of a shared gateway, importing to panorama will fail.

If a shared object is used in the NAT or PBF rules of a shared gateway, importing to panorama will fail.

608
Created On 11/11/24 02:40 AM - Last Modified 10/21/25 22:33 PM


Symptom



1. Login to Panorama Web UI
2. Import a managed firewall configuration (with Shared Gateways settings) into Panorama by clicking "Import device configuration to Panorama" under PANORAMA > Setup > Operations
3. Select a managed firewall and click “OK”
4. Confirm that the Job Status has been Completed
5. Try to perform Commit operation but it fails with the error messages below.  

Error messages displayed:
   

Validation Error:
    devices -> localhost.localdomain -> template-stack -> PA-3420_stack -> config -> devices -> localhost.localdomain -> network -> shared-gateway -> sg1 -> rulebase -> nat -> rules -> testnat-1 -> destination-translation is missing 'translated-address'
    devices -> localhost.localdomain -> template-stack -> PA-3420_stack -> config -> devices -> localhost.localdomain -> network -> shared-gateway -> sg1 -> rulebase -> nat -> rules -> testnat-1 -> destination-translation is invalid
    devices -> localhost.localdomain -> template -> PA-3420 -> config -> devices -> localhost.localdomain -> network -> shared-gateway -> sg1 -> rulebase -> nat -> rules -> testnat2-1 -> source array cannnot be empty
    devices -> localhost.localdomain -> template -> PA-3420 -> config -> devices -> localhost.localdomain -> network -> shared-gateway -> sg1 -> rulebase -> nat -> rules -> testnat2-1 -> source is invalid




 

Environment


  • PA-Series Next-Generation Firewall
  • Panorama
  • PAN-OS 10.2/11.1/11.2

Cause


The settings for the shared gateway are missing.

FW config:

set network shared-gateway sg1 rulebase nat rules testnat-1 destination-translation translated-address objshared1 <<<<<<<< shared object
set network shared-gateway sg1 rulebase nat rules testnat-2 source objshared2 <<<<<<<< shared object

 

Panorama config:

The following settings is missing:
"set template PA-3420 config network shared-gateway sg1 rulebase nat rules testnat-1 destination-translation translated-address objshared1"

The source IP information is missing:

set template PA-3420 config network shared-gateway sg1 rulebase nat rules testnat-2 source <<<<<<<< "source objshared2" is missing.



The shared object of FW was imported.


set shared address objshared1 ip-netmask 100.100.100.1
set shared address objshared2 ip-netmask 100.100.100.2 


 


However, the shared object cannot be referenced.


The above settings are missed, resulting in a commit error.


admin@Panorama# set template PA-3420 config network shared-gateway sg1 rulebase nat rules testnat-1 destination-translation translated-address
  obj1 address obj1
  obj2 address obj2




              
Resolution

The workaround is to configure the FW to not use shared objects in NAT and PBF rules on a shared gateway.


We are investigating on PAN-268032.


 


 




        
       
      





      

        
        
        

    

    

    

      

        
Other users also viewed:

        

             

               
              

        

    

        

        
        

          
Actions

          
    
           
            
            
            
  • 
                Print
            
    • 
            
  • 
            
    • 
            
  • 
              Copy Link
                
                
    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HERqCAO&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail
    
            
    • 
          

        
 

        

         
        

          

            
Choose Language