如果在共享网关的NAT或PBF规则中使用共享对象,则导入全景图将失败。

如果在共享网关的NAT或PBF规则中使用共享对象,则导入全景图将失败。

1391
Created On 11/11/24 02:40 AM - Last Modified 10/21/25 22:33 PM


Symptom



1. Login to Panorama Web UI
2. Import a managed firewall configuration (with Shared Gateways settings) into Panorama by clicking "Import device configuration to Panorama" under PANORAMA > Setup > Operations
3. Select a managed firewall and click ?OK?
4. Confirm that the Job Status has been Completed
5. Try to perform Commit operation but it fails with the error messages below.

Error messages displayed:

Validation Error:
    devices -> localhost.localdomain -> template-stack -> PA-3420_stack -> config -> devices -> localhost.localdomain -> network -> shared-gateway -> sg1 -> rulebase -> nat -> rules -> testnat-1 -> destination-translation is missing 'translated-address'
    devices -> localhost.localdomain -> template-stack -> PA-3420_stack -> config -> devices -> localhost.localdomain -> network -> shared-gateway -> sg1 -> rulebase -> nat -> rules -> testnat-1 -> destination-translation is invalid
    devices -> localhost.localdomain -> template -> PA-3420 -> config -> devices -> localhost.localdomain -> network -> shared-gateway -> sg1 -> rulebase -> nat -> rules -> testnat2-1 -> source array cannnot be empty
    devices -> localhost.localdomain -> template -> PA-3420 -> config -> devices -> localhost.localdomain -> network -> shared-gateway -> sg1 -> rulebase -> nat -> rules -> testnat2-1 -> source is invalid

Environment


  • PA 系列下一代防火墙
  • 全景
  • 泛操作系统 10.2/11.1/11.2

Cause


缺少共享网关的设置。

固件配置:

set network shared-gateway sg1 rulebase nat rules testnat-1 destination-translation translated-address objshared1 <<<<<<<< shared object
set network shared-gateway sg1 rulebase nat rules testnat-2 source objshared2 <<<<<<<< shared object

全景配置:

The following settings is missing:
"set template PA-3420 config network shared-gateway sg1 rulebase nat rules testnat-1 destination-translation translated-address objshared1"

缺少源 IP 信息:

set template PA-3420 config network shared-gateway sg1 rulebase nat rules testnat-2 source <<<<<<<< "source objshared2" is missing.



FW 的共享对象已导入。


set shared address objshared1 ip-netmask 100.100.100.1
set shared address objshared2 ip-netmask 100.100.100.2 


 


但是,共享对象无法被引用。


The above settings are missed, resulting in a commit error.


admin@Panorama# set template PA-3420 config network shared-gateway sg1 rulebase nat rules testnat-1 destination-translation translated-address
  obj1 address obj1
  obj2 address obj2




              
Resolution

解决方法是将 FW配置为不在共享网关上的NAT和PBF规则中使用共享对象。


我们正在调查 PAN-268032。


 


 




        
       
      





      

        
        
        

    

    

    

      

        
Other users also viewed:

        

             

               
              

        

    

        

        
        

          
Actions

          
    
           
            
            
            
  • 
                Print
            
    • 
            
  • 
            
    • 
            
  • 
              Copy Link
                
                
    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HERqCAO&lang=zh_CN&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail
    
            
    • 
          

        
 

        

         
        

          

            
Choose Language