Commit on Panorama Fails with Incompatible Zone Type Error

by ukhapre on ‎10-16-2014 06:38 PM - edited on ‎09-11-2015 01:23 AM by (4,622 Views)

Issue

Commit fails on Panorama with an error indicating incompatible zone types.

 

For example:

In VSYS vsys1 from zone outside of type layer3 and to zone dmz of type unknown are incompatible in decryption rule test-decrypt

Configuration is invalid

commit error.JPG

 

Cause

This error can occur if a rule is created using a template that has not been pushed to the managed device. In the case above, to create a ssl decrypt rule, a forward-trust certificate is necessary. If the certificate has been created on Panorama but not pushed to the device the commit will fail.

 

Panorama shows this template:

fwd trust.JPG

 

Note: Switching the context to the device does not list forward trust certificates.

trust.JPG

 

Resolution

  1. Push the template to Panorama.
  2. Push the template to the device.
  3. Commit to the device group.

 

owner: ukhapre

Ignite 2018, Amsterdam, Netherlands
Ask Questions Get Answers Join the Live Community
Contributors