공유 게이트웨이의 NAT 또는 PBF 규칙에서 공유 오브젝트(shared object) 사용하는 경우 파노라마로 가져오는 데 실패합니다.

공유 게이트웨이의 NAT 또는 PBF 규칙에서 공유 오브젝트(shared object) 사용하는 경우 파노라마로 가져오는 데 실패합니다.

1375
Created On 11/11/24 02:40 AM - Last Modified 10/21/25 22:33 PM


Symptom



1. Login to Panorama Web UI
2. Import a managed firewall configuration (with Shared Gateways settings) into Panorama by clicking "Import device configuration to Panorama" under PANORAMA > Setup > Operations
3. Select a managed firewall and click ?OK?
4. Confirm that the Job Status has been Completed
5. Try to perform Commit operation but it fails with the error messages below.

Error messages displayed:

Validation Error:
    devices -> localhost.localdomain -> template-stack -> PA-3420_stack -> config -> devices -> localhost.localdomain -> network -> shared-gateway -> sg1 -> rulebase -> nat -> rules -> testnat-1 -> destination-translation is missing 'translated-address'
    devices -> localhost.localdomain -> template-stack -> PA-3420_stack -> config -> devices -> localhost.localdomain -> network -> shared-gateway -> sg1 -> rulebase -> nat -> rules -> testnat-1 -> destination-translation is invalid
    devices -> localhost.localdomain -> template -> PA-3420 -> config -> devices -> localhost.localdomain -> network -> shared-gateway -> sg1 -> rulebase -> nat -> rules -> testnat2-1 -> source array cannnot be empty
    devices -> localhost.localdomain -> template -> PA-3420 -> config -> devices -> localhost.localdomain -> network -> shared-gateway -> sg1 -> rulebase -> nat -> rules -> testnat2-1 -> source is invalid

Environment


  • PA-시리즈 차세대 방화벽
  • 파노라마
  • PANOS 10.2/11.1/11.2

Cause


공유 게이트웨이에 대한 설정이 없습니다.

FW 구성:

set network shared-gateway sg1 rulebase nat rules testnat-1 destination-translation translated-address objshared1 <<<<<<<< shared object
set network shared-gateway sg1 rulebase nat rules testnat-2 source objshared2 <<<<<<<< shared object

파노라마 구성:

The following settings is missing:
"set template PA-3420 config network shared-gateway sg1 rulebase nat rules testnat-1 destination-translation translated-address objshared1"

소스 IP 정보가 누락되었습니다:

set template PA-3420 config network shared-gateway sg1 rulebase nat rules testnat-2 source <<<<<<<< "source objshared2" is missing.



FW의 공유 오브젝트(shared object) 가져왔습니다.


set shared address objshared1 ip-netmask 100.100.100.1
set shared address objshared2 ip-netmask 100.100.100.2 


 


하지만 공유 오브젝트(shared object) 참조할 수는 없습니다.


The above settings are missed, resulting in a commit error.


admin@Panorama# set template PA-3420 config network shared-gateway sg1 rulebase nat rules testnat-1 destination-translation translated-address
  obj1 address obj1
  obj2 address obj2




              
Resolution

회피 방법 은 공유 게이트웨이의 NAT 및 PBF 규칙에서 공유 객체를 사용하지 않도록 FW를 구성 것입니다.


우리는 PAN-268032에 대해 조사하고 있습니다.


 


 




        
       
      





      

        
        
        

    

    

    

      

        
Other users also viewed:

        

             

               
              

        

    

        

        
        

          
Actions

          
    
           
            
            
            
  • 
                Print
            
    • 
            
  • 
            
    • 
            
  • 
              Copy Link
                
                
    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HERqCAO&lang=ko&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail
    
            
    • 
          

        
 

        

         
        

          

            
Choose Language