Error message "enforcer-exception-list is invalid" seen when trying to save GlobalProtect Portal configuration.

Error message "enforcer-exception-list is invalid" seen when trying to save GlobalProtect Portal configuration.

8901
Created On 04/12/22 22:30 PM - Last Modified 04/23/24 03:51 AM


Symptom


Below error is observed when OK button (Network > GlobalProtect > Portals > Agent) is clicked to save the Portal configuration:
Enforcer Exception List configuration

Environment


  • Palo Alto Firewalls
  • PAN-OS 9.1 and above.
  • GlobalProtect Portal 
  • Enforcer exception list.
  • Prisma Access managed by panorama

Cause


  • FQDN exception list was configured initially when GP enforcer was enabled.
  • Since GP enforcer is not longer being used, it is disabled under Network > GlobalProtect > Portals > {portal-name} > Agent > {portal-agent-name} > App > Enforce GlobalProtect Connection for Network Access
  • When trying to remove the FQDN exception list under Network > GlobalProtect > Portals > {portal-name} > Agent > {portal-agent-name} > App > Allow traffic to specified fqdn when Enforce GlobalProtect Connection for Network Access is enabled and GlobalProtect Connection is not established, we see the following error message
"Portal-Sec" -> client-config -> configs -> "Portal-Sec-Config" -> gp-app-config -> config -> enforcer-exception-list-domain -> value is invalid

Resolution


Remove the FQDN Enforcer exception list configuration from CLI.

admin@Firewall> configure
admin@Firewall# delete global-protect global-protect-portal <name> client-config configs <name> gp-app-config config enforcer-exception-list
admin@Firewall#  delete global-protect global-protect-portal <name> client-config configs <name> gp-app-config config enforcer-exception-list-domain
admin@Firewall# commit 
admin@Firewall# exit

Use following commands to delete this config from Panorama (Applicable to both Prisma Access managed by panorama and Strata firewalls managed from the Panorama) 
admin@Panorama# delete template <template-name> config vsys vsys1 global-protect global-protect-portal <Portal-name> client-config configs <config-name> gp-app-config config enforcer-exception-list

[edit]
admin@Panorama# delete template <template-name> config vsys vsys1 global-protect global-protect-portal <Portal-name> client-config configs <config-name>  gp-app-config config enforcer-exception-list-domain

[edit]
admin@Panorama# commit

 

Additional Information


Use following commands to confirm the previous values of enforce list are there in the config. 
admin@Panorama# show template <tamplate name> config vsys vsys1 global-protect global-protect-portal <portal-name> client-config configs <config-name> gp-app-config config enforcer-exception-list
enforcer-exception-list {
  value 1.1.1.1;
}
[edit]

 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000oNavCAE&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language