Skip to main content

200101 - Failed to Create Address Object

Agent error code #200101 indicates that the Knocknoc agent was unable to create an address object on the Palo Alto Networks firewall. This error occurs when using Active mode: TODOmode, where Knocknoc directly manages address objects and address groups on the firewall.

When granting access, the agent creates an address object representing the IP address being granted. This address object is then added to the configured address group, which is referenced by firewall security policies. The address object is named using the format auto-<username>-<ip>.

This error typically occurs when:

  • The API key lacks permission to create address objects in the configured device group or virtual system (vsys)
  • The specified device group or virtual system does not exist or is inaccessible
  • The firewall has reached its maximum limit for address objects
  • Network connectivity issues prevented the API request from completing successfully

Steps to Resolve

Verify API Key Permissions

The API key must have permission to create address objects in the configured location (device group or vsys):

  1. Log into Panorama or the firewall's web interface
  2. Navigate to Device > Admin Roles and locate the role assigned to the admin account used to generate the API key
  3. Verify the admin role has write access to address objects (REST API Objects > Addresses)

For more details on API key configuration, see the Palo Alto setup guide: TODOguide.

Palo alto API key permissions

Verify Device Group or Virtual System Configuration

When using Panorama, ensure the device group is correctly configured:

  1. In Knocknoc, check the device group setting in the backend configuration
  2. In Panorama, navigate to Panorama > Device Groups and verify the device group exists
  3. Ensure the device group name in Knocknoc matches exactly (case-sensitive)

When connecting directly to a firewall, if virtual systems are in use, ensure the virtual system is correctly configured:

  1. In Knocknoc, check the vsys setting in the backend configuration
  2. On the firewall, navigate to Device > Virtual Systems and verify the vsys exists
  3. Ensure the vsys name in Knocknoc matches exactly (e.g., "vsys1")

Check Address Object Limits

Palo Alto Networks firewalls have limits on the number of address objects that can be created. The specific limit varies by platform and PAN-OS version. Check the limit for the specific firewall model in use.

To see the current number of addresses:

  1. Log into the firewall or Panorama web interface
  2. Navigate to Objects > Addresses within the appropriate device group or vsys
  3. Review the total number of address objects
  4. If the firewall is approaching its limit, consider removing unused address objects

Check Network Connectivity

Verify that the agent can reach the firewall or Panorama management interface:

  1. Confirm the hostname or IP address in the backend configuration is correct
  2. Verify that the management port (typically 443) is accessible from the agent
  3. Check for any firewall rules or network policies that may be blocking the connection

Ensure Changes are Committed and Pushed

For Panorama-managed firewalls, configuration changes must be committed and pushed to devices before they take effect:

  1. In Panorama, commit any pending changes
  2. Use Commit > Push to Devices to push the configuration to the managed firewalls

Palo alto API key permissions

Still Having Issues?

We can help you out, contact us at support@knocknoc.io.

Back to top