Skip to main content

200100 - Failed to Check if Address Exists

Agent error code #200100 indicates that the Knocknoc agent was unable to verify whether an address object exists on the Palo Alto Networks firewall. This error occurs when using Active mode, where Knocknoc directly manages address objects and address groups on the firewall.

This error typically occurs when:

  • The API key lacks permission to read address objects
  • The specified device group or virtual system (vsys) does not exist or is inaccessible
  • Network connectivity issues prevented the API request from completing successfully

Steps to Resolve

Verify API Key Permissions

The API key must have permission to read address objects in the configured location (device group or vsys):

  1. Log into Panorama or the firewall's web interface
  2. Navigate to Device > Admin Roles and locate the role used for the admin account used to generate the API key
  3. Verify the admin role in use has read access to address objects (REST API Objects > Addresses, Objects > Address Groups, and Objects > External Dynamic Lists)

For more details on API key configuration, see the Palo Alto setup guide.

Palo alto API key permissions

Verify Device Group or Virtual System Configuration

When using Panorama, ensure the device group is correctly configured:

  1. In Knocknoc, check the device group setting in the backend configuration
  2. In Panorama, navigate to Panorama > Device Groups and verify the device group exists
  3. Ensure the device group name in Knocknoc matches exactly (case-sensitive)

When connecting directly to a firewall, if virtual systems are in use, ensure the virtual system is correctly configured:

  1. In Knocknoc, check the vsys setting in the backend configuration
  2. On the firewall, navigate to Device > Virtual Systems and verify the vsys exists
  3. Ensure the vsys name in Knocknoc matches exactly (e.g., "vsys1")

Check Network Connectivity

Verify that the agent can reach the firewall or Panorama management interface:

  1. Confirm the hostname or IP address in the backend configuration is correct
  2. Verify that the management port (typically 443) is accessible from the agent
  3. Check for any firewall rules or network policies that may be blocking the connection

Verify the Address Group Exists

The address group specified in the ACL configuration must exist on the firewall:

  1. In Panorama, navigate to Objects > Address Groups within the appropriate device group
  2. On a standalone firewall, navigate to Objects > Address Groups within the appropriate vsys
  3. Verify the address group name in Knocknoc matches an existing static address group

For more details on configuring address groups, see the Palo Alto setup guide.

Still Having Issues?

We can help you out, contact us at support@knocknoc.io.

Back to top