EDL references were lost in security rule after config import to Panorama
6747
Created On 07/05/21 15:09 PM - Last Modified 01/03/23 09:03 AM
Symptom
After importing backup config into a new Panorama and push the config to the managed devices, some traffic depending on predefined EDL objects is denied instead of being allowed as per the configuration.
Details when the issue can be seen:
- Spin up NEW-Panorama. Do not install Anti Virus (AV) update on the New-Panorama
- Export the running config from OLD-Panorama and uploaded it to the New-Panorama. Load the configuration in New-Panorama and do a local commit.
- The commit will go through fine, however the security-policies that had the Predefined-EDL references configured as Source/Destination would experience the issue.
- Since Panorama does not have a valid AV version available and the Predefined EDL references depend on it, then it replaces the Source/Destination with "Any" .
- After the commit and push, all the managed firewalls which have such policies will be affected.
Environment
- Panorama with Managed Firewalls
- PAN-OS 9.1 and above.
- Anti-Virus Updates.
- EDL (External Dynamic List)
Cause
Since Panorama does not have a valid AV version available and the Predefined EDL references depend on it, then it replaces the Source/Destination with "Any"
Resolution
- Install the necessary Dynamic Updates prior importing the backup config.
- This is necessary if the config has elements depending on such updates like EDL for example.
Additional Information
Further details in PAN-158511 to prevent a commit from Panorama whenever such conditions are met.
28 Dec 22 (Vijay) - Article updated with Adnan and Published external