Validation Error: rulebase -> nat -> rules -> Test -> source-translation -> dynamic-ip-and-port -> interface-address -> ip '$INT-Trust-InterfaceIP' is not a valid reference
rulebase -> nat -> rules -> Test -> source-translation -> dynamic-ip-and-port -> interface-address -> ip is invalid vsys1
Error: nat rule 'Test' invalid interface address $INT-Trust-InterfaceIP Error: Failed to parse nat policy (Module: device) client device phase 1 failure Commit failed

• Panorama
• PAN-OS 10.2.x
• Commit

• The issue will cause if variables are pushed to the firewall

1. Include Device and Network Templates while pushing variable to the firewall.

2. Commit should succeed without errors

• The variables are only to be used inside the template/template stack portion of configuration and not inside DG. Address objects need to be used inside DG. The resolution logic will only kick in when you do a template push or DG include template push. But still it is strongly advised not to use it as we dont know what issue we can end up with.

• Create Template(s), Template Stack(s), and Device Group(s) on Panorama

https://docs.paloaltonetworks.com/vm-series/9-1/vm-series-deployment/set-up-the-vm-series-firewall-on-nsx/set-up-the-vm-series-firewall-on-vmware-nsx/register-the-vm-series-firewall-as-a-service-on-the-nsx-manager/create-templates-and-device-groups-on-panorama