Disabled Panorama Security Policy Rules Not Seen on Firewall
17265
Created On 04/11/19 12:36 PM - Last Modified 04/12/19 16:56 PM
Symptom
- Disabled security policy rules on panorama are not seen on the managed firewall.
- Security policy rules locally configured and disabled are seen.
- Original configuration on firewall:
- If you see the same view as the picture above, then locally disabled policy is seen.
- Now, Panorama rule 2 is disabled on Panorama committed and pushed to the managed firewall.
- Here is a view of the Panorama Configuration:
- Disabled rule is visible on the Panorama web interface
- Firewall configuration post above change:
- Panorama rule 2 is not seen on the firewall.
Resolution
When a rule is disabled in a local rulebase, it will be disabled when committed but will remain in the configuration. When a rule is disabled in a pre- or post-rulebase pushed from Panorama, the disabled policy will be removed from the configuration when commit-all is performed. Disabled policies cannot be pushed to devices from Panorama. This is by design and helps in reducing the rule count for limit check.