Skip to main content

200102 - Failed to Get Address Group Members

This error indicates that the Knocknoc agent was unable to retrieve the current members of an address group on the Palo Alto Networks firewall. This error occurs when using Active mode: TODOmode, where Knocknoc directly manages address objects and address groups on the firewall.

Before granting or revoking access, the agent reads the current membership of the configured address group. This error is raised when that read operation fails.

This error typically occurs when:

  • The address group configured in Knocknoc does not exist on the firewall or Panorama
  • The API key lacks permission to read address groups in the configured device group or virtual system (vsys)
  • The specified device group or virtual system does not exist or is inaccessible
  • The firewall returned an unexpected or malformed response
  • Network connectivity issues prevented the request from completing successfully

Steps to Resolve

Verify the Address Group Exists

The address group name configured in Knocknoc must match an existing static address group on the firewall:

  1. When using Panorama, navigate to Objects > Address Groups within the appropriate device group
  2. On a standalone firewall, navigate to Objects > Address Groups within the appropriate vsys
  3. Verify the address group name in Knocknoc matches an existing address group exactly (case-sensitive)
  4. Confirm the address group type is Static (not Dynamic)

If the address group does not exist, create it on the firewall or in Panorama before the agent can manage it. For more details on configuring address groups, see the Palo Alto setup guide: TODOguide.

Verify API Key Permissions

The API key must have permission to read address groups in the configured location (device group or vsys):

  1. Log into Panorama or the firewall's web interface
  2. Navigate to Device > Admin Roles and locate the role assigned to the admin account used to generate the API key
  3. Verify the admin role has read access to address groups (REST API Objects > Address Groups)

For more details on API key configuration, see the Palo Alto setup guide: TODOguide.

Palo alto API key permissions

Verify Device Group or Virtual System Configuration

When using Panorama, ensure the device group is correctly configured:

  1. In Knocknoc, check the device group setting in the backend configuration
  2. In Panorama, navigate to Panorama > Device Groups and verify the device group exists
  3. Ensure the device group name in Knocknoc matches exactly (case-sensitive)

When connecting directly to a firewall, if virtual systems are in use, ensure the virtual system is correctly configured:

  1. In Knocknoc, check the vsys setting in the backend configuration
  2. On the firewall, navigate to Device > Virtual Systems and verify the vsys exists
  3. Ensure the vsys name in Knocknoc matches exactly (e.g., "vsys1")

Check Network Connectivity

Verify that the agent can reach the firewall or Panorama management interface:

  1. Confirm the hostname or IP address in the backend configuration is correct
  2. Verify that the management port (typically 443) is accessible from the agent
  3. Check for any firewall rules or network policies that may be blocking the connection

Still Having Issues?

We can help you out, contact us at support@knocknoc.io.

Back to top