Si se utiliza un objeto compartido en las reglas NAT o PBF de una puerta de enlace compartida, la importación a Panorama fallará.

Si se utiliza un objeto compartido en las reglas NAT o PBF de una puerta de enlace compartida, la importación a Panorama fallará.

1375
Created On 11/11/24 02:40 AM - Last Modified 10/21/25 22:33 PM


Symptom



1. Login to Panorama Web UI
2. Import a managed firewall configuration (with Shared Gateways settings) into Panorama by clicking "Import device configuration to Panorama" under PANORAMA > Setup > Operations
3. Select a managed firewall and click ?OK?
4. Confirm that the Job Status has been Completed
5. Try to perform Commit operation but it fails with the error messages below.

Error messages displayed:

Validation Error:
    devices -> localhost.localdomain -> template-stack -> PA-3420_stack -> config -> devices -> localhost.localdomain -> network -> shared-gateway -> sg1 -> rulebase -> nat -> rules -> testnat-1 -> destination-translation is missing 'translated-address'
    devices -> localhost.localdomain -> template-stack -> PA-3420_stack -> config -> devices -> localhost.localdomain -> network -> shared-gateway -> sg1 -> rulebase -> nat -> rules -> testnat-1 -> destination-translation is invalid
    devices -> localhost.localdomain -> template -> PA-3420 -> config -> devices -> localhost.localdomain -> network -> shared-gateway -> sg1 -> rulebase -> nat -> rules -> testnat2-1 -> source array cannnot be empty
    devices -> localhost.localdomain -> template -> PA-3420 -> config -> devices -> localhost.localdomain -> network -> shared-gateway -> sg1 -> rulebase -> nat -> rules -> testnat2-1 -> source is invalid

Environment


  • Firewall de última generación de la serie PA
  • Panorama
  • Sistema operativo PAN 10.2/11.1/11.2

Cause


Faltan las configuraciones de la puerta de enlace compartida.

Configuración de FW:

set network shared-gateway sg1 rulebase nat rules testnat-1 destination-translation translated-address objshared1 <<<<<<<< shared object
set network shared-gateway sg1 rulebase nat rules testnat-2 source objshared2 <<<<<<<< shared object

Configuración panorámica:

The following settings is missing:
"set template PA-3420 config network shared-gateway sg1 rulebase nat rules testnat-1 destination-translation translated-address objshared1"

Falta la información de IP de origen:

set template PA-3420 config network shared-gateway sg1 rulebase nat rules testnat-2 source <<<<<<<< "source objshared2" is missing.



Se importó el objeto compartido de FW.


set shared address objshared1 ip-netmask 100.100.100.1
set shared address objshared2 ip-netmask 100.100.100.2 


 


Sin embargo, no se puede hacer referencia al objeto compartido .


The above settings are missed, resulting in a commit error.


admin@Panorama# set template PA-3420 config network shared-gateway sg1 rulebase nat rules testnat-1 destination-translation translated-address
  obj1 address obj1
  obj2 address obj2




              
Resolution

La solución alternativa es configurar el FW para que no utilice objetos compartidos en las reglas NAT y PBF en una puerta de enlace compartida.


Estamos investigando el PAN-268032.


 


 




        
       
      





      

        
        
        

    

    

    

      

        
Other users also viewed:

        

             

               
              

        

    

        

        
        

          
Actions

          
    
           
            
            
            
  • 
                Print
            
    • 
            
  • 
            
    • 
            
  • 
              Copy Link
                
                
    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HERqCAO&lang=es&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail
    
            
    • 
          

        
 

        

         
        

          

            
Choose Language