Why security policies referring to different EDL objects generate shadow warnings on Validate Commit
9874
Created On 12/20/19 04:57 AM - Last Modified 10/13/23 04:29 AM
Question
Why security policies referring to different EDL objects generate shadow warnings on "Validate Commit", when the list entries present in the EDL objects are completely different.
Below are the security policies referring two different EDL objets with rest of the fields identical:
"Validate Commit" validates whether the firewall configuration has correct syntax and is semantically complete.
If the user chooses to perform "Validate Commit":
Below warnings are seen:
Whereas a Commit job does not generate such warnings.
Environment
An external dynamic list is an address object which imports a list of IP addresses or URLs or domain names that you can use in policies to block or allow traffic.
Below are the two EDL objects of type IP:
Upon checking the list entries, it can be confirmed that the above EDL objects have different IP lists:
Answer
Above behaviour is expected because the "Validate Commit" job uses only phase0 and phase1 stages of the Commit process.
During phase0 and phase1 EDL objects are not expanded and hence the shadow warnings are generated if all other fields of the security policies are identical.
On performing Commit, phase2 also gets triggered resulting in expansion of EDL objects and the warnings are avoided given the EDL objects have different IP lists.
Additional Information
Similar warning will be seen on panorama while doing "Validate Device Group push" and "Validate template push" for any managed firewall whether the security policies referring to EDL objects are locally configured on the firewall or pushed from panorama:
Push operation performed on panorama will trigger "Commit All" job on the firewall and will not result in shadow warnings.