Panorama Template Commit Fails on New Firewall
73375
Created On 03/21/19 21:04 PM - Last Modified 03/26/19 16:32 PM
Symptom
This occurs when committing a template config to a new device fails due to a validation error on eth1/1 with the below message or similar.
Here are the details as shown in the screenshot below:
- Validation Error:
- network -> virtual-router -> (VR name) -> interface 'ethernet1/1' is not a valid reference
- network -> virtual-router ->(VR name) -> interface is invalid
- vsys1
- Error: zone (zone name) type and interface ethernet1/1 type mismatch
- (Module: device)
- Commit failed
Environment
Panorama
PAN-OS
Cause
During commit, the configuration is validated before being applied.
The validation is unable to match the pushed zone and interface type to the existing default virtual wire (vwire).
Resolution
Step 1: On the firewall, change the interface type to Layer 3 for the vwire interfaces
Step 2: Delete the existing vwire and commit the change on the firewall
Step 3: On Panorama, push the template and select Merge with Device Candidate Config:
Additional Information
NOTE: The push is unable to remove the interface from the default vwire and change the type because the existing vwire can not commit without interfaces. Forcing the template config does not change this, and it will not remove the default vwire.