This document describes how to change the zone name on Panorama and push the updates to the managed firewalls without running into commit errors. If there are no policies referencing the zone, then the name can be changed directly on the template and committed without errors. However, this document covers a scenario where the zone requiring the name change is currently applied in one or more security policies.
Note: Panorama OS: 5.0 and later
As an example scenario, the test_zone zone needs to be renamed to test_zone_1. The following image shows the original zone:
Here is a policy referencing test_zone:
If the administrator directly modifies the zone name and issues a template commit, the commit fails with the error:
Last Push State Details
rulebase -> security > rules > test_rule -> from 'test_zone' is not an allowed keyword
rulebase -> security > rules > test_rule -> from 'test_zone' is not a valid reference
The following prerequisites should be met before continuing with the zone name change:
Device is connected to the panorama and is part of a template
There are policies associated with the zone name and are already pushed to the device
The steps below will use the sample scenario described earlier in this document.
Rename the existing test_zone zone to test_zone_1. This will cause the name change to automatically occur for the policies referencing the zone.
Add a new zone with the old zone name (test_zone). This step is required so that we don't run into commit issues due to policy dependency on the device. At this point, the config should look like this:
Issue a Panorama commit.
Issue a template commit.
Issue a device group commit.
Once the commit is successful, delete the 'test_zone' zone, and then perform another panorama commit, template commit and a device group commit.
This procedure will only work as listed above if the zone and interface configuration are both managed through a template on Panorama