Commit Validation Error: GlobalProtect

Commit Validation Error: GlobalProtect

4626
Created On 05/14/20 00:19 AM - Last Modified 08/05/20 21:54 PM


Symptom
Downgrading the Firewall from one main release of PAN-OS to another main release,  a commit/validation error occurs for GlobalProtect:
This can be seen when either trying to Commit or validate the configuration using Commit > Validate Commit:
 
User-added image


Environment
  • PAN-OS 9.1.x and below.
  • Palo Alto Firewall.
  • GlobalProtect configured with non-default portal agent settings.


Cause
  • The schema between main releases may differ. The problem can be tracked by navigating through the path referenced in the validation error log. In the above message, the error is due to setting under GUI: Network > Portals >Agent >App:
User-added image
  • "Allow User to Uninstall GlobalProtect App (Windows Only)" is set to "Allow with Password."
  • Depending on the version being downgraded to, there are other potential validation errors that could occur because of other app configurations (like those highlighted in blue and others not captured here.)


Resolution
  1. Delete the app settings from CLI:
FW1 >configure
FW1 #delete vsys vsys2 global-protect global-protect-portal <portal> client-config configs <name> agent-ui
FW1 >exit
Note: If multiple VSYS is not configured, ignore the parameter.
 
  1. Now Commit or Validation of commit process using GUI: Commit > Validate Commit will succeed.
User-added image

 


Additional Information
After a commit is completed, some of the agent app settings will restore to default:
 
User-added image

These and any other settings that may have been removed will require reconfiguration. Hence it is recommended to take note of all app configurations beforehand.


Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/kCSArticleDetail?id=kA10g0000008U3A&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FkCSArticleDetail

Attachments
Choose Language