Panorama push to managed firewalls failed with validation error: '<application name >' is already in use

Panorama push to managed firewalls failed with validation error: '<application name >' is already in use

27529
Created On 09/14/22 18:18 PM - Last Modified 10/24/22 20:02 PM


Symptom


  • The Panorama Push will be failed with below validation error with specific <application name>:
Operation Commit All
Status Completed
Result Failed
Details

Validation Error:
vsys -> vsys1 -> application-status -> '<application name >'-uploading' is already in use
vsys -> vsys1 -> application-status is invalid
Commit failed
  •  Below error with specific <application name> will presented in configd.log (less mp-log configd.log)
Error:  pan_schema_verify_set_constraints(pan_schema_verify.c:374): '<application name >' is already in use near line <line number >

 

Environment


  • Panorama with PAN-OS 10.1
  • Managed Firewall with PAN-OS 10.1

Resolution


  1. Check the application status with below command 
> request get-application-status application <application name>
  1. Result would show the application enable/disable status in shared and vsys level (device group in panorama) 
Panorama:
M-200> request get-application-status application powtoon-uploading

Application : powtoon-uploading
Device-Group        Status                 Location
------------------------------------------------------
shared             enabled                   shared
vsys1              disabled                   shared
Firewall :
PA-7080> request get-application-status application powtoon-uploading

Application : powtoon-uploading
Vsys                Status                 Location
------------------------------------------------------
shared             disabled                   shared
vsys1              disabled                    vsys1

 

  1. Success depends on  application status on panorama and managed firewall  , there would be 16 possible combinations for push :
 
Application status

Panorama:

Shared Enable
Device-group Enable

Panorama:

Shared Disable
Device-group Enable

Panorama:

Shared Disable
Device-group Disable

Panorama

Shared Enable
Device-group Disable

Firewall:

Shared Enable
vsys Enable

SuccessfulSuccessfulSuccessfulSuccessful

Firewall:

Shared Disable
vsys Enable

SuccessfulSuccessfulSuccessfulSuccessful

Firewall:

Shared Disable
vsys Disable

SuccessfulSuccessfulFailedFailed

Firewall:

Shared Enable
vsys Disable

FailedSuccessfulSuccessfulSuccessful


 
  1. You can change the application status in target vsys with GUI access under Objects > Applications (Same in panorama device group )

Firewall Application status

 

  1. The enable or disable the applications on the Shared Device group must be done using the CLI command listed below.
> request set-application-status-recursive application *application name* status *enabled/disabled*

 

 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000sZ6WCAU&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language