Palo Alto Networks Knowledgebase: Commit on Panorama Fails with Incompatible Zone Type Error
Commit on Panorama Fails with Incompatible Zone Type Error
Created On 09/26/18 13:50 PM - Last Updated 09/26/18 13:59 PM
Zone and DoS Protection
Commit fails on Panorama with an error indicating incompatible zone types.
In VSYS vsys1 from zone outside of type layer3 and to zone dmz of type unknown are incompatible in decryption rule test-decrypt
Configuration is invalid
This error can occur if a rule is created using a template that has not been pushed to the managed device. In the case above, to create a ssl decrypt rule, a forward-trust certificate is necessary. If the certificate has been created on Panorama but not pushed to the device the commit will fail.
Panorama shows this template:
Note: Switching the context to the device does not list forward trust certificates.