Creation and removal of security rules and DAGs in Panorama results in null reference errors

[abeeson]

Describe the bug

Creation and removal of security rules and DAGs in Panorama results in null reference errors that can only be fixed with a management server process restart.

This issue appears to occur when you create and remove a series of security rules in a group, whilst using DAGs on those rules.

I have a case open with Palo Alto for this (NTT SVR127593239 and PAN-179059) and they've identified an issue with the MongoDB cache not being cleaned up properly during calls to the XML API where OR is used, resulting in the reference errors.

I'm pursuing them for a fix on this, but as a workaround migrating these calls to individual deletes without using OR, or migrating to the REST API instead of the XML would also remove this problem.

Expected behavior

apply and destroy should work without issue

Current behavior

Creation of resources that meet certain conditions then results in a broken panorama when a destroy is run.

Possible solution

See above - I expect the real fix is on the Panorama end, to handle the OR XML delete properly.

Steps to reproduce

I'll attach a terraform config to replicate this.

1. terraform apply
2. commit on panorama (I can't recall if this was required, I believe so)
3. terraform destroy
4. Note errors containing reference error to nothing

Screenshots

Not currently available, but I can dig them up if required.

Context

Removal of applications set up in our data centre now requires an additional step of restarting the entire panorama management process when they have to be removed. This is not a common occurrence however.

Your Environment

• Version used: Panorama 9.x and 10.x, seen only various terraform versions
• Environment name and version (e.g. Chrome 59, node.js 5.4, python 3.7.3): Nothing specific of note
• Operating System and version (desktop or mobile): various
• Link to your project: n/a

[welcome-to-palo-alto-networks[bot]]

:tada: Thanks for opening your first issue here! Welcome to the community!

[abeeson]

Test files are provided here and should contain the minimum required to replicate this.

providers.tf.txt pano-terraform-issue.tf.txt versions.tf.txt

[abeeson]

Palo engineering are working on a fix for this, but their approach appears to be removing the ability to have OR in XPATH calls.

This will have major impacts on Terraform's current operations and is referenced in PA TAC Case#: 01856318

The listed versions this will be in is 10.0.10 and 10.1.5 at this point.