Palo Alto Networks Knowledgebase: Commit on Panorama Fails with Incompatible Zone Type Error

Commit on Panorama Fails with Incompatible Zone Type Error

Created On 09/26/18 13:50 PM - Last Updated 09/26/18 13:59 PM
Categories:  Device Management,  Initial Configuration,  Installation,  QoS,  Zone and DoS Protection




Commit fails on Panorama with an error indicating incompatible zone types.


For example:

In VSYS vsys1 from zone outside of type layer3 and to zone dmz of type unknown are incompatible in decryption rule test-decrypt

Configuration is invalid

commit error.JPG



This error can occur if a rule is created using a template that has not been pushed to the managed device. In the case above, to create a ssl decrypt rule, a forward-trust certificate is necessary. If the certificate has been created on Panorama but not pushed to the device the commit will fail.


Panorama shows this template:

fwd trust.JPG


Note: Switching the context to the device does not list forward trust certificates.




  1. Push the template to Panorama.
  2. Push the template to the device.
  3. Commit to the device group.


owner: ukhapre


  • Print
  • Copy Link

Change Language: