Commit on Panorama Fails with Incompatible Zone Type Error
37063
Created On 09/26/18 13:50 PM - Last Modified 11/10/20 20:43 PM
Symptom
Commit fails on Panorama with an error indicating incompatible zone types.
Example:
In VSYS vsys1 from zone outside of type layer3 and to zone dmz of type unknown are incompatible in decryption rule test-decrypt Configuration is invalid
Environment
- Any Panorama
- PAN-OS 8.1 and above.
Cause
This error can occur if a rule is created using a template that has not been pushed to the managed device.
In the case above, to create an SSL decrypt rule, a forward-trust certificate is necessary.
If the certificate has been created on Panorama but not pushed to the device the commit will fail.
The panorama shows this template:
Note: Switching the context to the device does not list forward trust certificates.
Resolution
- Commit the template to Panorama.
- Push the template stack to the Firewall.
- Push the device group to the Firewall.