Panorama push failed with Validation Error: - vsys -> vsys1 -> application-status -> <application-name> attribute status is missing

Panorama push failed with Validation Error: - vsys -> vsys1 -> application-status -> <application-name> attribute status is missing

8317
Created On 07/03/24 00:10 AM - Last Modified 04/04/25 22:33 PM


Symptom


Push from panorama to managed firewalls fails with error 

Validation Error:
- vsys -> vsys1 -> application-status -> <application-name> attribute status is missing
- vsys - > vsys1 -> application-status is invalid
 

Environment


Panorama
PANOS-10.2.8
PA-5410

Cause


During content upgrade if the checkbox for disable new applications in content update is done and this particular firewall is getting added to Panorama.
After export push next consecutive push will fail since the imported config has the apps disabled on panorama and it will show errors regarding  attribute status is missing and app status invalid.


disable new apps

Resolution


If there are only few applications that are showing disabled in commit fail errors, These apps can be enabled* individually on panorama and can be pushed into the firewall. 
On Panorama CLI 
> request set-application-status-recursive application *application_name* status enabled

If there are lot of applications that need to be enabled 
- Take a snapshot of panorama running configuration.
- Open the config file in text editor and In all the affected device groups replace the application status to enabled as below for all the applications that are showing disabled.

Before :
<application-status>
<entry name="c9-trader" status="disabled"/>
<entry name="jira-downloading" status="disabled"/>
<entry name="jira-editing" status="disabled"/>

After :
<application-status>
<entry name="c9-trader" status="enabled"/>
<entry name="jira-downloading" status="enabled"/>
<entry name="jira-editing" status="enabled"/> 

Note :
-> Doing replace all for disabled to enabled is not recommended in config file as it can enable other features other than Application status. 
-> If it is a multi vsys firewall, changes needs to be done for all the vsys device groups .


- Save the config and load it in panorama and perform a push operation for the device groups after a commit on panorama. 

 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000010zBACAY&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language