Panorama Validation Error - service "xxxx" is not an allowed keyword

Panorama Validation Error - service "xxxx" is not an allowed keyword

23040
Created On 09/07/22 02:01 AM - Last Modified 08/09/23 21:27 PM


Symptom


When pushing template and device group from Panorama to firewalls, the below validation errors are encountered -
Example: 
Details:
. Validation Error:
. rulebase -> security -> rules -> xxxxx -> service 'xxxxx' is not an allowed keyword
. rulebase -> security -> rules -> xxxxx -> service 'xxxxx' is not a valid reference
. rulebase -> security -> rules -> xxxxx -> service is invalid

 

Environment


  • Panorama managed Firewalls
  • PAN-OS 9.1 or higher
  • Commit 

Cause


  • The used object (address/service etc.) is pushed from Panorama and used in firewall's local configuration (local override)
  • During the next configuration push from Panorama, this object is removed.
  • As the object is not present on the firewall's pushed-shared-policy config, but is still used/referred in the local configuration, the validation error "is not an allowed keyword" is presented.

Resolution


Use one of the following solutions to resolve the issue
  1. Configure the object locally on the firewall instead of using panorama pushed address object 
  2. Configure the security policy using the object on the panorama and push it to the firewall.
The validation error should not be displayed after the change.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000sZ0TCAU&lang=en_US%E2%80%A9&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail