Can't commit changes due to error message "Error: Profile compiler: cannot find tid 40006 in threat database."

Can't commit changes due to error message "Error: Profile compiler: cannot find tid 40006 in threat database."

20024
Created On 07/23/19 04:03 AM - Last Modified 07/31/19 01:29 AM


Symptom


When trying to commit, the following error appears:  
Error: Profile compiler : can not find tid 40006 in threat database

Environment


  • Can affect any PAN-OS release
  • Firewall
  • Panorama

Cause


Threat database ID 40006 is no longer supported due to out of supported dynamic content (Apps and Threat) range.

Resolution


To clear the commit error, the Vulnerability Profile associated to the threat-exception 40006 needs to be removed from the running configuration.

There are two ways to remove this threat exception:

Method 1 - GUI
  1. From the GUI, Objects > Security Profiles >  Vulnerabilities Protection > [Name of Vulnerability Protection Profile] > Exceptions
  2. Search using the Global search tool to find the security profile associated to the 40006 vulnerability ID range
See diagram below
User-added image

Method 2  - CLI
  1. From the CLI, change the configuration output to set format
admin@Lab64-96-PA-5060> set cli config-output-format set
 
  1. Go into configure mode and search for the Threat ID number
admin@Lab64-96-PA-5060> set cli config-output-format set
admin@Lab64-96-PA-5060> configure
Entering configuration mode
[edit]
admin@Lab64-96-PA-5060# show | match 40006
  
Example:
set vsys vsys1 profiles vulnerability PortalZone threat-exception 40006 action default
set vsys vsys1 profiles vulnerability PortalZone threat-exception 40006 time-attribute interval 60
set vsys vsys1 profiles vulnerability PortalZone threat-exception 40006 time-attribute threshold 100
set vsys vsys1 profiles vulnerability PortalZone threat-exception 40006 time-attribute track-by source-and-destination
set vsys vsys1 profiles vulnerability CP_Internet threat-exception 40006 action default
set vsys vsys1 profiles vulnerability CP_Internet threat-exception 40006 time-attribute interval 60
set vsys vsys1 profiles vulnerability CP_Internet threat-exception 40006 time-attribute threshold 100
set vsys vsys1 profiles vulnerability CP_Internet threat-exception 40006 time-attribute track-by source-and-destination
set vsys vsys1 profiles vulnerability CP_Internet threat-exception 40006 exempt-ip 10.189.201.4
set vsys vsys1 profiles vulnerability CP_Internet threat-exception 40006 exempt-ip 10.189.201.5
set vsys vsys1 profiles vulnerability CP_Internet threat-exception 40006 exempt-ip 10.249.200.115
 
  1. Delete the configuration from the CLI
[edit] 
admin@Lab64-96-PA-5060# delete vsys vsys1 profiles vulnerability PortalZone threat-exception 40006

 

Additional Information


For more information on supported threat ID ranges, see the document Threat ID Ranges in the Palo Alto Networks Content Database.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/kcsArticleDetail?id=kA10g000000PMQO&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FkcsArticleDetail