Commit from Panorama to Firewall fails on multi-vsys firewalls after upgrade to 10.2

Commit from Panorama to Firewall fails on multi-vsys firewalls after upgrade to 10.2

2199
Created On 09/22/23 17:04 PM - Last Modified 06/04/25 21:08 PM


Symptom


  • Commit from Panorama to a Firewall fails after Upgrade to 10.2. version.
  • Multi-Vsys is configured on the Firewalls.
  • The error message is shown below.
Validation Error:
vsys -> vsys2 -> application -> xxxxxx 'xxxxxx' is already in use
vsys -> vsys2 -> application is invalid

Environment


  • Panorama Managed Firewalls
  • PANOS-10.2.x,
  • Multi-vsys firewalls

Cause


  • This is due to the Change in the default behavior for Shared objects on multi-vsys firewalls managed by Panorama.
  • Per documentation "Configuration objects in the Shared device group are now pushed to a Panorama Shared configuration context for all virtual systems rather than duplicating the shared configuration to each virtual system to reduce the operational burden of scaling configurations for multi-vsys firewalls." 

Resolution


  1. Before pushing the current Panorama managed configuration, check for any locally configured Shared Objects in the firewall that may have an identical name to an object in the Panorama shared configuration. 
  2. Rename or Delete them before the Panorama push.
  3. Otherwise, the commit push from Panorama will fail due to a Validation Error
  4. Refer to Changes of behavior in PAN-OS 10.2 for Panorama management of multi-vsys firewall
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000g2GYCAY&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail