Commit failing with invalid fqdn format after upgrade to PAN-OS 9.1.1
8945
Created On 04/03/20 16:55 PM - Last Modified 05/03/24 20:04 PM
Symptom
- Commit failed after upgrading to PAN-OS 9.1.1 with error invalid FQDN format (.xxxx)
- Issue Observed with panorama and managed firewall where the same format was working prior to the upgrade to 9.1.1.
- Error message is seen similar to the one shown below.
Validation Error:
vsys -> vsys1 -> address -> xxxx.io -> fqdn '.xxxx.io' is invalid
vsys -> vsys1 -> address -> xxxx.io -> fqdn is invalid
Commit failed
Environment
- Any Panorama
- Any Palo Alto Firewall.
- Address Object/FQDN
- PAN-OS 9.1.1
Cause
- FQDN cannot start with '.' (dot) and so '.xxxx' is an invalid FQDN.
- In the Pre 9.1.1 releases, these bad domains will pass commit, but fail to resolve and cause feature specific issues. With the latest version, we identify this as early as possible due to the more stringent check to avoid this issue.
Resolution
Check and remove any invalid FQDN address object starting with '.'
Additional Information
with the latest PAN-OS version, we check and do not allow any invalid FQDN which might be allowed to commit historically.