Firewall Commit Validation Error "group-tag unexpected here"

Firewall Commit Validation Error "group-tag unexpected here"

7601
Created On 05/11/20 19:35 PM - Last Modified 05/19/20 02:12 AM


Symptom


Firewall commit failed reporting validation error "group-tag unexpected here".
After downgrading firewall from PAN-OS 9.0.x to 8.1.x, firewall failed to commit with following validation error:
  
> show jobs id 2

Enqueued  Dequeued     ID    Type                Status Result Completed 
--------------------------------------------------------------------------
xxxx      HH:MM:SS     2    Commit                 FIN   FAIL  HH:MM:SS  
Warnings:
Details:Validation Error:
 rulebase -> security -> rules -> Trust-to-Untrust -> group-tag unexpected here
 rulebase -> security -> rules is invalid




 

Environment


  • PAN-OS 8.1.x
  • Palo Alto Firewall.
  • Downgrade from 9.0.x to 8.1.x

Cause


PAN-OS downgrade is performed from 9.x to 8.1.x with "group-tag" is assigned on firewall security policy or NAT policy in PAN-OS 9.x

Starting on PAN-OS 9.0, a new group tag is added to efficiently manage large sets of related rules within any policy rulebase. This group tag configuration option is not available prior to  PAN-OS 9.0.

If a firewall with PAN-OS 8.1.x attempting to load configuration saved under PAN-OS 9.x version with group tag configuration, it would cause commit an error as PAN-OS 8.1.x unable to understand the configuration syntax (ie. group-tag). 

set rulebase security rules Trust-to-Untrust tag permit
...
set rulebase security rules Trust-to-Untrust group-tag permit-grp    <<<
 


 


 

 

Resolution


  1. Upgrade the affected firewall from PAN-OS 8.1.x to 9.x with its latest configuration prior to performing PAN-OS downgrade
  2. Save configuration snapshot while on PAN-OS 9.x.
Firewall (PAN-OS 9.x) : Device > Setup > Operations > (Save named configuration snapshot) > ex: config-9x.xml
  1. To downgrade to PAN-OS 8.1.x, reinstall PAN-OS 8.1.x by selecting the proper saved configuration (ex: config-9x.xml)
Firewall (PAN-OS 9.x) > During Install 8.1.x > Select A Config File for Downgrading > Name: config-9x.xml > OK
  1. Reboot the firewall after PAN-OS 8.1.x image installed
After firewall downgraded to PAN-OS 8.1.x with the above procedure, the "group-tag" configuration from PAN-OS 9.x will be removed accordingly to allow auto-commit or commit to complete successfully. 

Additional Information




Note:
This problem can be triggered in one of the following conditions:
1. Performing commit after importing 9.x device state into the firewall with PAN-OS 8.1.x
2. Upon PAN-OS downgrade, incorrect configuration file was selected 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/kcsArticleDetail?id=kA10g0000008U1O&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FkcsArticleDetail