Panorama Template Commit Fails on New Firewall

Panorama Template Commit Fails on New Firewall

Created On 03/21/19 21:04 PM - Last Modified 03/26/19 16:32 PM

This occurs when committing a template config to a new device fails due to a validation error on eth1/1 with the below message or similar.

Here are the details as shown in the screenshot below:
  • Validation Error:
  • network -> virtual-router -> (VR name) -> interface 'ethernet1/1' is not a valid reference
  • network -> virtual-router ->(VR name) -> interface is invalid
  • vsys1
  • Error: zone (zone name) type and interface ethernet1/1 type mismatch
  • (Module: device)
  • Commit failed
Screenshot of Last Push Slate Details


During commit, the configuration is validated before being applied.
The validation is unable to match the pushed zone and interface type to the existing default virtual wire (vwire).

Screenshot of Ethernet tab.

Step 1: On the firewall, change the interface type to Layer 3 for the vwire interfaces
User-added image

Step 2: Delete the existing vwire and commit the change on the firewall
Delete the default v-wire

Step 3:  On Panorama, push the template and select Merge with Device Candidate Config:
Merge with Device Candidate Config

Additional Information
NOTE: The push is unable to remove the interface from the default vwire and change the type because the existing vwire can not commit without interfaces. Forcing the template config does not change this, and it will not remove the default vwire.

  • Print
  • Copy Link

Choose Language