Problem Renaming Zones when Policy was Pushed from Panorama

Problem Renaming Zones when Policy was Pushed from Panorama

47202
Created On 09/25/18 19:49 PM - Last Modified 08/28/20 21:25 PM


Symptom


If the device uses policies pushed from Panorama that specify zone names (rather than any) and an attempt to rename that zone is made on the device, an “incompatible zone” and “configuration is invalid” error will occur upon commit.

 

Environment


  • Palo Alto Firewall.
  • PAN-OS 7.0 and above.

Cause


Attempting to update the zone name in the policy being pushed from Panorama will result in the inability to push that configuration to the device because the zone name is invalid.

Resolution


  1. Create a new zone on the Firewall using the name that the current zone needs to be renamed to and commit the change. This zone will be deleted later but is needed to import the new Panorama config
  2. In Panorama, change the zone name in the policies for the device group containing this device.
  3. Push the new config to the device.
  4. Once it is committed the firewall will NOT pass traffic for this zone until step 5 is completed.
  5. On the Firewall, delete the zone created in step one. Once the zone is deleted rename the old zone with the new name
  6. Commit

Note: Between steps 4 and 5 of this procedure, traffic will not flow through the firewall so it is highly recommended to perform this procedure during off-peak hours.

 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CleMCAS&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language