Commit fails on Panorama with an error indicating incompatible zone types.
In VSYS vsys1 from zone outside of type layer3 and to zone dmz of type unknown are incompatible in decryption rule test-decrypt
Configuration is invalid
This error can occur if a rule is created using a template that has not been pushed to the managed device. In the case above, to create a ssl decrypt rule, a forward-trust certificate is necessary. If the certificate has been created on Panorama but not pushed to the device the commit will fail.
Panorama shows this template:
Note: Switching the context to the device does not list forward trust certificates.