Panorama Template Commit Fails on New Firewall

Panorama Template Commit Fails on New Firewall

66425
Created On 03/21/19 21:04 PM - Last Modified 03/26/19 16:32 PM


Symptom


This occurs when committing a template config to a new device fails due to a validation error on eth1/1 with the below message or similar.

Here are the details as shown in the screenshot below:
  • Validation Error:
  • network -> virtual-router -> (VR name) -> interface 'ethernet1/1' is not a valid reference
  • network -> virtual-router ->(VR name) -> interface is invalid
  • vsys1
  • Error: zone (zone name) type and interface ethernet1/1 type mismatch
  • (Module: device)
  • Commit failed
Screenshot of Last Push Slate Details

Environment


Panorama
PAN-OS

Cause


During commit, the configuration is validated before being applied.
The validation is unable to match the pushed zone and interface type to the existing default virtual wire (vwire).

Screenshot of Ethernet tab.
 

Resolution


Step 1: On the firewall, change the interface type to Layer 3 for the vwire interfaces
User-added image


Step 2: Delete the existing vwire and commit the change on the firewall
Delete the default v-wire


Step 3:  On Panorama, push the template and select Merge with Device Candidate Config:
Merge with Device Candidate Config
 

Additional Information


NOTE: The push is unable to remove the interface from the default vwire and change the type because the existing vwire can not commit without interfaces. Forcing the template config does not change this, and it will not remove the default vwire.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/kCSArticleDetail?id=kA10g000000boNj&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FkCSArticleDetail

Choose Language