PANOS 11.1 Panorama pushed config not sanitized when off-boarding the firewall from panorama

Replication steps:
1. Firewall is added to and connected to Panorama1. Configuration is pushed via template stack named tpl-1
2. Panorama configuration is removed from the firewall:
 2.1. "Disable Panorama Policy and Objects" with checked "Import Panorama Policy and Objects before disabling"
 2.2. "Disable Device and Network Template" with checked "Import Device and Network Template before disabling"
 2.3. Panorama IP address/es
 2.4. Commit on the firewall
 2.5. "export named configuration snapshot" or "export device state" to a local file for inspection

check the firewall XML configuration from step 2.5:

• PANOS 10.2.x shows no sign of the template 'tpl-1' in the xml file
• PANOS 11.1.x shows the template 'tpl-1' as a part of the configuration in the xml file. This seems not to affect the firewalls, as it shows the config from the template as a local one. However, when the firewall and its configuration are imported to another Panorama, all configurations in the Network and Device tab (sourced from the template to which the device's configuration was imported) refer to be coming from "tpl-1" which makes these configurations read-only.

This applies to 11.1.x, but seems not impacting 10.2.x

• NGFW
• Panorama:
  • PANOS 11.1.x - affected
  • PANOS 10.2.x - not affected

Template info is not removed from the configuration pushed from Panorama to the firewall when converting Panorama pushed configuration to local during the firewall's off-boarding from Panorama process.

At this point the issue is cosmetic - firewall ignores the template tag in XML config file.

Later on, when the firewall is onboarded to the same or another panorama the template tag is honored by Panorama and reflected in the configuration.

Upgrade of the Panorama to the fix version of PAN-286299.

Manual XML file edit can be performed to remove the template tag from the XML configuration file, once the firewall has been off-boarded