Cannot Remove Targeted Device Seral Number From Rule
1085
Created On 02/11/25 20:45 PM - Last Modified 04/07/25 21:10 PM
Symptom
- The user is unable to view the decommissioned device serial number in the UI while trying to modify security and decryption rules.
- The decommissioned devices' serial numbers are present in the rules, but they are not visible in the Panorama UI.
- The user is unable to remove the decommissioned devices' serial numbers from the shared rules.
- Validation Error on commit
- shared -> pre-rulebase -> security -> rules -> <ruleName> -> target -> devices -> <serialNumber> is not a valid reference
- shared -> pre-rulebase -> security -> rules -> <ruleName> -> target -> devices is invalid
NOTE: This validation can have show similar issue for any pre or post rulebase rule (security, decryption, etc...)
Environment
- Any Panorama
- Supported PAN-OS
Cause
- The Panorama UI does not display the serial numbers associated with the rules, preventing direct removal of the decommissioned device serial numbers.
- Since the serial numbers are not displayed, the users cannot remove the decommissioned devices from the shared rules.
Resolution
Remove serial number from rules through cli
- Log into CLI.
- Switch to configure mode.
> configure
- (Optional) Check rule for targeted devices
# show shared pre-rule (pre-rulebase/post-rulebase) (security/decryption) rules {ruleName} target devices
- Use the command on each rule and for each serial number.
# delete shared (pre-rulebase/post-rulebase) (security/decryption) rules {ruleName} target devices {serialNumber}`
- Complete commit to apply changes.