Panorama commit fails with deleted EDL object referenced in spyware profile
2378
Created On 12/07/23 00:16 AM - Last Modified 06/03/24 20:53 PM
Symptom
Panorama Commit fails with error referencing spyware.
Partial changes to commit: changes to configuration by administrators: admin
Changes to shared configuration
Validation Error:
shared -> profiles -> spyware -> strict-1 -> botnet-domains -> lists -> DOMAIN-URL 'DOMAIN-URL' is not a valid reference
shared -> profiles -> spyware -> strict-1 -> botnet-domains -> lists is invalid
devices -> localhost.localdomain -> device-group -> LAB-FW-01 -> profiles -> spyware -> strict-1-1 -> botnet-domains -> lists -> DOMAIN-URL 'DOMAIN-URL' is not a valid reference
devices -> localhost.localdomain -> device-group -> LAB-FW-01 -> profiles -> spyware -> strict-1-1 -> botnet-domains -> lists is invalidEnvironment
- Any Panorama
- Supported PAN-OS
- External Dynamic List (EDL)
- Spyware
Cause
- Shared EDL object configuration is deleted on the Panorama when the EDL object still being referenced in the Anti-Spyware profile.
- This is causing the commit to fail on Panorama.
Resolution
- Login to the CLI of Panorama and enter configuration mode.
- Use the "show" command and check if the EDL object in the commit is still referenced. In this example the EDL object is "DOMAIN-URL"
admin@Panorama# show | match DOMAIN
set device-group LAB-FW-01 profiles spyware strict-1-1 botnet-domains lists DOMAIN-URL action allow
set device-group LAB-FW-01 profiles spyware strict-1-1 botnet-domains lists DOMAIN-URL packet-capture disable
set shared profiles spyware strict-1 botnet-domains lists DOMAIN-URL action allow
set shared profiles spyware strict-1 botnet-domains lists DOMAIN-URL packet-capture disable
- From the above output, the EDL object "DOMAIN-URL" is still being used in the Spyware profile "strict-1" when it is deleted.
- Delete the EDL object reference from the shared/device-group Spyware profile configuration.
delete shared profiles spyware strict-1 botnet-domains lists DOMAIN-URL
delete device-group LAB-FW-01 profiles spyware strict-1-1 botnet-domains lists DOMAIN-URL
- Commit the changes on the Panorama and push them to the device group.