I configured 2 vsys with a single router and the world is good. A customer engineer then applied the corporate default zone protection profile to all zones including the external zone.
This caused commit errors with the following syntax,
"In VSYS vsys1 from Zone1 of type layer 3 and to zone External_Zone of type zone-protection-profile are incompatible in security rule......."
Logically I could understand maybe zone protection isn't supported on an external zone however it does allow you to configure one. There is no zone type "zone-protection-profile".
So is it supported but we have a bug or should it not be an option in an external zone configuration?
If you set the virtual system on the VR page, or the VR on the VSYS page, those settings will affect each other. My point was just that this is a loose association. You can attach VR1 to VSYS1, and still bind VR1 to VSYS2 on all of the interfaces that reside in VR1. That means that the VR1 to VSYS1 binding essentially had no effect.
Hope this helps,
We can only perform zone protection on the ingress interface. We're unable to do so on an external zone. Have you filed a case by any chance? Although I'm not sure about our options in this specific case, we generally prefer to perform checking at the time of configuration rather than at commit time.
I've got the same problem after creating an policy between two vsyses.
First I configured the visibility between the two vsyses and after that i've created two ext_zones
vsys9 => VSYS24_ext_zone
vsys24 => VSYS9_ext_zone
src zone: VSYS24_ext_zone dst zone: Trust
Message after commit:
In VSYS vsys9 from zone VSYS24_ext_zone of type layer 3 and to zone Trust of type zone-protection-profile are incompatible in <policy-name>
Als in my case no protection-profile defined at the external zone.
Has anyone an idea what this could be?
Could you please list out the types for each zone and the virtual system that contains each? The error message is a bit odd as there is no zone type called zone-protection-profile. It may just be a simple wording error so I'd like to see a bit more on the configuration before jumping to any conclusions.
Which version of PAN-OS are you running at the moment?
Also, one quick question. Are you running PAN OS 5.0.1 or 5.0.2? An XML ordering issue has been addressed in PAN OS 5.0.3 which could cause commit to fail with a similar message:
47133—Fixed a zone validation failure that occurred because the network zone was incorrectly recorded in the device configuration XML file.
The XML node for the zone expects the zone name to be of the form (in 5.0.1/5.0.2):
If the XML equivalent for your zone "VSYS24_ext_zone" is generated differently, then the commit may fail.
I am running 4.1.9 in an Active/Active setup with panorama as management device for the policies.
Attached the requested information.
I have an workaround by configuring the zone as "any". But it would be nice if I can use the VSYSx_ext_zone.
By using the external zone works for me in other cases, but the strange thing that I can't use it within vsys9
Sorry for the late response on this. I don't see anything wrong with your configuration. Could you please file a case with support so that we can take a closer look at the issue?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!