Firewall Commit Validation Error "group-tag unexpected here"
7601
Created On 05/11/20 19:35 PM - Last Modified 05/19/20 02:12 AM
Symptom
Firewall commit failed reporting validation error "group-tag unexpected here".
After downgrading firewall from PAN-OS 9.0.x to 8.1.x, firewall failed to commit with following validation error:
> show jobs id 2
Enqueued Dequeued ID Type Status Result Completed
--------------------------------------------------------------------------
xxxx HH:MM:SS 2 Commit FIN FAIL HH:MM:SS
Warnings:
Details:Validation Error:
rulebase -> security -> rules -> Trust-to-Untrust -> group-tag unexpected here
rulebase -> security -> rules is invalid
Environment
- PAN-OS 8.1.x
- Palo Alto Firewall.
- Downgrade from 9.0.x to 8.1.x
Cause
PAN-OS downgrade is performed from 9.x to 8.1.x with "group-tag" is assigned on firewall security policy or NAT policy in PAN-OS 9.x
Starting on PAN-OS 9.0, a new group tag is added to efficiently manage large sets of related rules within any policy rulebase. This group tag configuration option is not available prior to PAN-OS 9.0.
If a firewall with PAN-OS 8.1.x attempting to load configuration saved under PAN-OS 9.x version with group tag configuration, it would cause commit an error as PAN-OS 8.1.x unable to understand the configuration syntax (ie. group-tag).
set rulebase security rules Trust-to-Untrust tag permit
...
set rulebase security rules Trust-to-Untrust group-tag permit-grp <<<
Resolution
- Upgrade the affected firewall from PAN-OS 8.1.x to 9.x with its latest configuration prior to performing PAN-OS downgrade
- Save configuration snapshot while on PAN-OS 9.x.
Firewall (PAN-OS 9.x) : Device > Setup > Operations > (Save named configuration snapshot) > ex: config-9x.xml
- To downgrade to PAN-OS 8.1.x, reinstall PAN-OS 8.1.x by selecting the proper saved configuration (ex: config-9x.xml)
Firewall (PAN-OS 9.x) > During Install 8.1.x > Select A Config File for Downgrading > Name: config-9x.xml > OK
- Reboot the firewall after PAN-OS 8.1.x image installed
Additional Information
Note:
This problem can be triggered in one of the following conditions:
1. Performing commit after importing 9.x device state into the firewall with PAN-OS 8.1.x
2. Upon PAN-OS downgrade, incorrect configuration file was selected