Commit on Panorama Fails with Incompatible Zone Type Error

Commit on Panorama Fails with Incompatible Zone Type Error

36914
Created On 09/26/18 13:50 PM - Last Modified 11/10/20 20:43 PM


Symptom


Commit fails on Panorama with an error indicating incompatible zone types.

Example:

In VSYS vsys1 from zone outside of type layer3 and to zone dmz of type unknown are
incompatible in decryption rule test-decrypt
Configuration is invalid
 

commit error

Environment


  • Any Panorama
  • PAN-OS 8.1 and above.

Cause


This error can occur if a rule is created using a template that has not been pushed to the managed device.
In the case above, to create an SSL decrypt rule, a forward-trust certificate is necessary.
If the certificate has been created on Panorama but not pushed to the device the commit will fail.

The panorama shows this template:

forward trust

Note: Switching the context to the device does not list forward trust certificates.

trust.JPG

Resolution


  1. Commit the template to Panorama.
  2. Push the template stack to the Firewall.
  3. Push the device group to the Firewall.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClsI&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language