Palo Alto Networks Knowledgebase: Commit on Panorama Fails with Incompatible Zone Type Error

Commit on Panorama Fails with Incompatible Zone Type Error

(774 Views)
Created On 09/26/18 13:50 PM - Last Updated 09/26/18 13:59 PM
Categories:  Device Management,  Initial Configuration,  Installation,  QoS,  Zone and DoS Protection

Issue:


Solution:


Issue

Commit fails on Panorama with an error indicating incompatible zone types.

 

For example:

In VSYS vsys1 from zone outside of type layer3 and to zone dmz of type unknown are incompatible in decryption rule test-decrypt

Configuration is invalid

commit error.JPG

 

Cause

This error can occur if a rule is created using a template that has not been pushed to the managed device. In the case above, to create a ssl decrypt rule, a forward-trust certificate is necessary. If the certificate has been created on Panorama but not pushed to the device the commit will fail.

 

Panorama shows this template:

fwd trust.JPG

 

Note: Switching the context to the device does not list forward trust certificates.

trust.JPG

 

Resolution

  1. Push the template to Panorama.
  2. Push the template to the device.
  3. Commit to the device group.

 

owner: ukhapre

Attachments:

Actions:
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClsICAS&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Change Language: