无法将SaaS Security 中创建的策略建议规则与 Panorama 同步,并显示错误消息“0/0策略规则已成功同步”
3450
Created On 07/03/24 08:42 AM - Last Modified 06/10/25 22:58 PM
Symptom
- 该策略在 Saas Security Inline > 发现的应用程序 > 策略建议中正确创建。
- 目标策略的状态为“已启用”。
- 全景拍摄步骤如下:
- “同步策略规则”通过 Panorama WebUI > Panorama > 策略推荐 > SaaS执行,但该策略未同步到 Panorama。
- 消息显示为“[0/0策略规则已成功同步]”。
Environment
- Prisma Access Panorama 托管
- 提供SaaS安全内联和日志服务许可证
- 设备证书已正确安装
Cause
Panorama 中的 IoT Edge 地址配置的区域地址与 CDL 和 Prisma Access 所加入的区域地址不同。
Resolution
应配置 Panorama 上的 IoT Edge 地址并将其指向 CDL 和 Prisma Access 所在的同一区域。
IoT Edge 地址列表如下:
https://docs.paloaltonetworks.com/iot/iot-security-admin/iot-security-overview/iot-security-integration-with-next- Generation-firewalls
物联网安全与下一代防火墙的集成
United States: iot.services-edge.paloaltonetworks.com Canada: ca.iot.services-edge.paloaltonetworks.com EU: eu.iot.services-edge.paloaltonetworks.com Switzerland: ch.iot.services-edge.paloaltonetworks.com United Kingdom: uk.iot.services-edge.paloaltonetworks.com APAC: apac.iot.services-edge.paloaltonetworks.com Japan: jp.iot.services-edge.paloaltonetworks.com Australia: au.iot.services-edge.paloaltonetworks.com
Additional Information
Confirm the same for the Content Cloud Setting for ACE, since the firewall should use the correct Content Cloud FQDN.
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/app-id/cloud-based-app-id-service
App-ID云引擎
ACE is supported in the US, APAC, and EU GCP regions. The region is selected automatically based on your CDL region. Verify that the firewall uses the correct Content Cloud FQDN (DeviceSetupContent-IDContent Cloud Setting) for your region and change the FQDN if necessary: US?hawkeye.services-edge.paloaltonetworks.com EU?eu.hawkeye.services-edge.paloaltonetworks.com APAC?apac.hawkeye.services-edge.paloaltonetworks.com