Unable to Sync the Policy Recommendations Rule created in SaaS Security inline with Panorama with the error message "0/0 policy rules successfully synced"

Unable to Sync the Policy Recommendations Rule created in SaaS Security inline with Panorama with the error message "0/0 policy rules successfully synced"

4081
Created On 07/03/24 08:42 AM - Last Modified 06/10/25 22:59 PM


Symptom


  • The Policy is created in the Saas Security Inline > Discovered Apps > Policy Recommendations correctly.
  • The status of the target Policy is "Enabled".
  • The following steps are taken in panorama:
  1. The "Sync Policy Rules" is executed via Panorama WebUI > Panorama > Policy Recommendation > SaaS, but the Policy is not synced to Panorama.
  2. The message is displayed as "[0/0 policy rules successfully synced]."
Status
 

Environment


  • Prisma Access Panorama Managed
  • SaaS Security Inline and Logging Service licenses are available
  • Device Certificate is properly installed

Cause


The IoT Edge address in the Panorama is configured with a region address different from the regions in which CDL and Prisma Access are onboarded.

Resolution


The IoT Edge address on Panorama should be configured and pointed to the same region where the CDL and Prisma Access are onboarded.

The list of IoT Edge addresses are listed below:
https://docs.paloaltonetworks.com/iot/iot-security-admin/iot-security-overview/iot-security-integration-with-next-generation-firewalls
Device Security Integration with Next-generation Firewalls

United States: iot.services-edge.paloaltonetworks.com
Canada: ca.iot.services-edge.paloaltonetworks.com
EU: eu.iot.services-edge.paloaltonetworks.com
Switzerland: ch.iot.services-edge.paloaltonetworks.com
United Kingdom: uk.iot.services-edge.paloaltonetworks.com
APAC: apac.iot.services-edge.paloaltonetworks.com
Japan: jp.iot.services-edge.paloaltonetworks.com
Australia: au.iot.services-edge.paloaltonetworks.com


Additional Information


Confirm the same for the Content Cloud Setting for ACE, since the firewall should use the correct Content Cloud FQDN.

https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/app-id/cloud-based-app-id-service
App-ID Cloud Engine 
ACE is supported in the US, APAC, and EU GCP regions. The region is selected automatically based on your CDL region.
Verify that the firewall uses the correct Content Cloud FQDN (DeviceSetupContent-IDContent Cloud Setting) for your region and change the FQDN if necessary:
US—hawkeye.services-edge.paloaltonetworks.com
EU—eu.hawkeye.services-edge.paloaltonetworks.com
APAC—apac.hawkeye.services-edge.paloaltonetworks.com
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000scSGCAY&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language