Committing such policies to Panorama(10.x.x) doesn't cause any problem, but pushes from the Panorama to the firewalls(9.1.x) raises an error for "cloned" policies(policies which have different name but identical in composition)
The error :----> "hip-profiles is a duplicate node"
The solution mentioned in the above link is unrealistic for production env as it involves usage of panorama cli to delete the hip profile for each individual rule.
Trying this would mean:
1) Figuring out the "clone" policies from the input
2) Terraform apply
3) Invoke panorama cli command for each "clone" rule to delete the hip profile for it.
Possible solution
What should ideally happen I think is that "hip_profiles" parameter should be kept optional instead of mandatory.
In this case our rules won't have the hip_profile and the commits to firewalls will succeed.
Steps to reproduce
1) Use the resource "panos_panorama_security_rule_group" to configure virtually 2 identical rules with different name.
2) Try commit from Panorama to fw device
Describe the bug
Hello,
When creating policies via "panos_panorama_security_rule_group", "hip_profiles" argument is mandatory, which I promptly set to ["any"].
Committing such policies to Panorama(10.x.x) doesn't cause any problem, but pushes from the Panorama to the firewalls(9.1.x) raises an error for "cloned" policies(policies which have different name but identical in composition)
The error :----> "hip-profiles is a duplicate node"
This is already raised in PaloAlto community portal. https://live.paloaltonetworks.com/t5/automation-api-discussions/ansible-created-rules-getting-quot-hip-profiles-is-a-duplicate/m-p/386452#M2560
The solution mentioned in the above link is unrealistic for production env as it involves usage of panorama cli to delete the hip profile for each individual rule. Trying this would mean: 1) Figuring out the "clone" policies from the input 2) Terraform apply 3) Invoke panorama cli command for each "clone" rule to delete the hip profile for it.
Possible solution
What should ideally happen I think is that "hip_profiles" parameter should be kept optional instead of mandatory. In this case our rules won't have the hip_profile and the commits to firewalls will succeed.
Steps to reproduce
1) Use the resource "panos_panorama_security_rule_group" to configure virtually 2 identical rules with different name. 2) Try commit from Panorama to fw device
Your Environment
Terraform v0.13.6 provider registry.terraform.io/hashicorp/http v2.1.0 provider registry.terraform.io/paloaltonetworks/panos v1.7.1
Panorama panOS 10.0.5 Firewall panOS 9.1.6