"Test Security Policy Match" feature on Panorama UI & CLI fails with "Server error"

"Test Security Policy Match" feature on Panorama UI & CLI fails with "Server error"

5219
Created On 07/30/24 23:18 PM - Last Modified 10/21/24 21:20 PM


Symptom


  • After upgrading the PAN-OS to 11.1.x, the "Security Policy Match" feature under Managed Devices > Troubleshooting > Test Configuration in Panorama UI & CLI fails f the source zone is defined in the "From" field.
  • Error message  "Server error : L3-Trust is invalid from.Current target-vsys is none request-batch -> op-command -> test -> security-policy-match -> from is invalid" wis displayed. In this example L3-Trust represents the zone name.

Security-policy-match_withSrcZone.png

  • CLI Test Output:
admin@Lab41-128-Panorama> request-batch op-command test security-policy-match from L3-Trust source 10.1.0.1 destination 10.2.0.2 destination-port 443 protocol 6 device 0070*********64

Server error :  L3-Trust is invalid from.Current target-vsys is none
request-batch -> op-command -> test -> security-policy-match -> from is invalid
  • We will be encountering an issue if the source zone is specified in the "From" field. No error should occur if only the destination zone is specified in the "To" field or if nothing is specified.

Security-policy-match_withoutSrcZone.png
 

Environment


  • Panorama (M-Series, VM Panorama)
  • PANOS-11.1.x
  • "test security policy" feature

Cause


  • Software Issue

Resolution


  1. The issue is resolved under  PAN-257961 in PAN-OS 11.1.5.
  2. Upgrade to the above code or higher will resolve the issue.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000scc6CAA&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language