Panorama template changes (such zone & virtual-router) are not getting pushed to the managed firewall devices

Panorama template changes (such zone & virtual-router) are not getting pushed to the managed firewall devices

4632
Created On 01/08/25 05:16 AM - Last Modified 10/15/25 18:02 PM


Symptom


  • Single VSYS FW managed by Panorama 
  • Template changes (such zone & VR) that are pushed from the panorama are not reflected on the FW 
  • The behavior is observed on FW PA-5400 and PA-5200 

Environment


  • Palo Alto Networks PA-5400 and PA-5200 series Firewalls
  • Supported PAN-OS
  • Panorama Managed

Cause


  • The issue is that when you import config from a single-vsys device to panorama, the default-vsys is not set for the template, default-vsys is setting to None.
  • If default-vsys is none, when we push config to device, we don't know which vsys to push, so it will skip pushing the config.

Resolution


Permanent Fix:

Upgrade the device to fixed PAN-OS version 10.2.14, 11.2.7, 11.1.11, 12.2.0

Workaround:

Set template/template-stack 'default VSYS' to vsys1 or vsys's alias name as default vsys must be set and it cannot be left as None.

CLI : 

Set the template default vsys 
> configure
# set template "template name" settings default-vsys vsys1

Check the default vsys setting 
> configure
# show template "template name" settings

GUI : 
Change the Default vsys settings from None to vsys1 or vsys's alias name
default-vsys-setting

 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000sdAmCAI&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language