After upgrading the multi-vsys Firewall to 11.1.6-h10, Vsys ID is gets changed in a sequence number causing AutoCommit failure

After upgrading the multi-vsys Firewall to 11.1.6-h10, Vsys ID is gets changed in a sequence number causing AutoCommit failure

981
Created On 09/24/25 01:18 AM - Last Modified 10/15/25 02:04 AM


Symptom


  • Multi-Vsys firewall upgraded to 11.1.6-h10.
  • The Vsys ID is gets changed in a sequence number.
  • This causes AutoCommit to fail with a validation error. Example shown below:
<vsys name> (vsys id)
Error: Rulebase 'security'
zone <name> is invalid from rule <name>
Error: Failed to parse security policy
(Module: device)  

 

Environment


  • Panorama managed Firewalls
  • Supported PAN-OS
  • PAN-OS upgrade to version 11.1.6-h10 
  • Multi-Vsys configured

Cause


  • The conversion process broke during the PAN-245064 (11.1.6-h10) regression,
  • Specifically the necessary mapping between the firewall's vsys IDs and Panorama's vsys names.

 

Resolution


  1. This issue is fixed under PAN-298505 and is fixed in PAN-OS versions 11.1.12, 10.2.17, 11.2.10.
  2. Upgrade to the above versions or later will fix the issue.
  3. The issue is also fixed in hotfix versions 11.2.7-h4 , 10.2.16-h4  10.2.13-h16, 11.1.10-h6, 11.1.6-h20 
  4. For an immediate workaround after upgrade, contact Support. 

Additional Information


This issue is not seen if the vsys config were created on the local FW from the beginning and were imported/migrated into the Panorama.

 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA1Ki000000fyDHKAY&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail