In this post I will detail how to resolve the Palo Alto commit error when trying to commit a predefined IP list.
Below is an example of the error
Validation Error:
external-list -> Palo Alto Networks Tor exit IP Addresses -> type -> predefined-ip -> url 'panw-torexit-ip-list' is not a valid reference
external-list -> Palo Alto Networks Tor exit IP Addresses -> type -> predefined-ip -> url is invalid
I’ve commonly ran into the issue on a fresh Palo Alto setup right after loading the day 1 configuration and trying to make that commit.
Here is step-by-step how to fix the predefined IP list error.
- Login to the Palo Alto firewall.
- Click on Device
- Click on Dynamic Updates
On a very fresh setup nothing will likely be listed in the dynamic updates. This is why we get the commit error as some of the predefined IP lists are delivered via dynamic updates.
- Click Check Now to populate the list of available dynamic updates.
- Click on Download for the newest Antivirus.
- Click on Install for the Antivirus that we just downloaded.
Once the Antivirus is installed the dynamic update section will look something like this.
- Now you can commit without the predefined IP list error.
That’s all it takes to resolve the commit error when trying to commit a predefined IP list.
Palo Alto used to have an article about the fix and it was called “Commit Validation Error: ‘panw-xxxxx-ip-list’ is not an allowed keyword” but that article doesn’t work anymore for some reason if it is ever fixed this was the url https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000004Nh7CAE