Problem Renaming Zones when Policy was Pushed from Panorama

Printer Friendly Page


If the device uses policies pushed from Panorama that specify zone names (rather than any) and an attempt to rename that zone is made on the device, an “incompatible zone” and “configuration is invalid” error will occur upon commit.

Attempting to update the zone name in the policy being pushed from Panorama will result in the inability to push that configuration to the device because the zone name is invalid.


Note: Between steps 4 and 5 of this procedure, traffic will not flow through the firewall so it is highly recommended to perform this procedure during off-peak hours.

  1. Create a new zone on the Firewall using the name that the current zone needs to be renamed to and commit the change. This zone will be deleted later but is needed to import the new Panorama config
  2. In Panorama, change the zone name in the policies for the device group containing this device.
  3. Push the new config to the device.
  4. Once it is committed the firewall will NOT pass traffic for this zone until step 5 is completed.
  5. On the Firewall, delete the zone created in step one. Once the zone is deleted rename the old zone with the new name
  6. Commit

owner: jteetsel


zones can be created in the Panorama via templates. polices are created in Device Groups.  when you issue a DG commit select templates as well. so, The security policies and the zones will be committed to the devices in one shot.  There is no need to configure security zones locally in the device.

I advice you to not use Zones in templates unless you are very careful : a  push with Force Template Values has great chances to remove all interfaces that you may have to override in local firewall.

I am taking about a solution I tested long time ago:

- rename zone in Firewall ( DO NO COMMIT )

- rename zone in Panorama Policies
- in Panorama do COMMIT DeviceGroup + merge candidate config.

Neither method worked. 

@rbista both methods have been tested and work as expected, they do have their own 'environment' (see cpainchaud's note) so please reach out to support if you're not able to implement the provided methods, we may need to create more documentation for a different deployment