Disabled Panorama Security Policy Rules Not Seen on Firewall

Disabled Panorama Security Policy Rules Not Seen on Firewall

17265
Created On 04/11/19 12:36 PM - Last Modified 04/12/19 16:56 PM


Symptom


  • Disabled security policy rules on panorama are not seen on the managed firewall.
  • Security policy rules locally configured and disabled are seen.
  • Original configuration on firewall:
User-added image
 
  • If you see the same view as the picture above, then locally disabled policy is seen.
  • Now, Panorama rule 2 is disabled on Panorama committed and pushed to the managed firewall.
  • Here is a view of the Panorama Configuration:
Panoramaconfiguration
  • Disabled rule is visible on the Panorama web interface
  • Firewall configuration post above change:
postconfigcommit
 
  • Panorama rule 2 is not seen on the firewall.

Resolution


When a rule is disabled in a local rulebase, it will be disabled when committed but will remain in the configuration. When a rule is disabled in a pre- or post-rulebase pushed from Panorama, the disabled policy will be removed from the configuration when commit-all is performed. Disabled policies cannot be pushed to devices from Panorama. This is by design and helps in reducing the rule count for limit check.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/kcSArticleDetail?id=kA10g000000PLWB&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FkcSArticleDetail