How to change the existing zone name when using templates on Panorama

Printer Friendly Page

PAN-OS 5.0 and later

 

Overview

This document describes how to change the zone name on Panorama and push the updates to the managed firewalls without running into commit errors. If there are no policies referencing the zone, then the name can be changed directly on the template and committed without errors. However, this document covers a scenario where the zone requiring the name change is currently applied in one or more security policies.

Note: Panorama OS: 5.0 and later

 

Details

As an example scenario, the test_zone zone needs to be renamed to test_zone_1. The following image shows the original zone:

old_zone.JPG

Here is a policy referencing test_zone:

old.JPG

 

If the administrator directly modifies the zone name and issues a template commit, the commit fails with the error:

Last Push State Details

Details:

  • rulebase -> security > rules > test_rule -> from 'test_zone' is not an allowed keyword
  • rulebase -> security > rules > test_rule -> from 'test_zone' is not a valid reference

coomit_fail.JPG

 

Steps

The following prerequisites should be met before continuing with the zone name change:

  • Device is connected to the panorama and is part of a template
  • There are policies associated with the zone name and are already pushed to the device

 

The steps below will use the sample scenario described earlier in this document.

  1. Rename the existing test_zone zone to test_zone_1. This will cause the name change to automatically occur for the policies referencing the zone.
    new_zone_only.JPG
    new_policy.JPG
  2. Add a new zone with the old zone name (test_zone). This step is required so that we don't run into commit issues due to policy dependency on the device. At this point, the config should look like this:
    new_zone.JPG
  3. Issue a Panorama commit.
  4. Issue a template commit.
  5. Issue a device group commit.
  6. Once the commit is successful, delete the 'test_zone' zone, and then perform another panorama commit, template commit and a device group commit.

This procedure will only work as listed above if the zone and interface configuration are both managed through a template on Panorama

 

 

See also

Is There an Impact on Active Sessions when Changing the Name of a Zone?

 

owner: sdarapuneni

Comments

It should be mentioned somewhere that after doing the first device-group commit, you will interrupt traffic until you change the zone on the appropriate interface. This is only achieved if interface configuration also comes from template, but not if zone is configured in template but assignment to interface is configured locally on the firewall.

Very useful.Thanks!

Is it still the same case on code 7.0? All the Zones and interfaces are in the single template. Will renaming the Zones interrupt the active sessions? 

It doesn't work. 

yes, renaming the zones will interrupt sessions as the commit will not be able to manipulate the session table: Is There an Impact on Active Sessions when Changing the Name of a Zone?

 

@rbista : I just tested the procedure on PAN-OS 7.1 and it works perfectly if you follow the steps correctly:

 

change original zone name

add new zone with original name

commit panorama

commit template

commit device group

delete new object with old name

commit panorama

commit template

commit devicegroup

 

there will be an interruption due to the zone name change in the stage where the zone name has been changed in template (in the zone list and interface) but not in policy yet

Will the sessions also reset if the zone is renamed with a different case (e.g. zone1 is renamed to ZONE1)? 

I have confirmed that the sessions will reset (manual clearing of all sessions) because the zone name is case sensitive on the firewall, therefore renaming the zone from zone1 to ZONE1 does indeed generate a new index ID. You can confirm this using the "debug device-server dump idmgr type zone all" on the firewall before and after the change. The sessions will need to be cleared in order to be rebuilt using the new index ID.