Routing between virtual systems

Reply
rzg62s_BPC
Not applicable

Nick,

I configured 2 vsys with a single router and the world is good. A customer engineer then applied the corporate default zone protection profile to all zones including the external zone.

This caused commit errors with the following syntax,

"In VSYS vsys1 from Zone1 of type layer 3 and to zone External_Zone of type zone-protection-profile are incompatible in security rule......."

Logically I could understand maybe zone protection isn't supported on an external zone however it does allow you to configure one. There is no zone type "zone-protection-profile".

So is it supported but we have a bug or should it not be an option in an external zone configuration?

Thanks,

Paul

ncampagna
Palo Alto Networks Guru

Hello craymond,

If you set the virtual system on the VR page, or the VR on the VSYS page, those settings will affect each other. My point was just that this is a loose association. You can attach VR1 to VSYS1, and still bind VR1 to VSYS2 on all of the interfaces that reside in VR1. That means that the VR1 to VSYS1 binding essentially had no effect.

Hope this helps,

Nick

ncampagna
Palo Alto Networks Guru

Hi Paul,

We can only perform zone protection on the ingress interface. We're unable to do so on an external zone. Have you filed a case by any chance? Although I'm not sure about our options in this specific case, we generally prefer to perform checking at the time of configuration rather than at commit time.

Thanks,

Nick

craymond
L4 Transporter

Thanks Nick. I think that makes sense!

The inherent vice of capitalism is the unequal sharing of blessings; the inherent virtue of socialism is the equal sharing of miseries.
ppater
Not applicable

Hi Paul,

I've got the same problem after creating an policy between two vsyses.

First I configured the visibility between the two vsyses and after that i've created two ext_zones

vsys9 => VSYS24_ext_zone

vsys24 => VSYS9_ext_zone

Policy:

src zone: VSYS24_ext_zone       dst zone: Trust    

Message after commit:

In VSYS vsys9 from zone VSYS24_ext_zone of type layer 3 and to zone Trust of type zone-protection-profile are incompatible in <policy-name>

Als in my case no protection-profile defined at the external zone.

Has anyone an idea what this could be?

Best Regards

Patrick

ncampagna
Palo Alto Networks Guru

Hi Patrick,

Could you please list out the types for each zone and the virtual system that contains each? The error message is a bit odd as there is no zone type called zone-protection-profile. It may just be a simple wording error so I'd like to see a bit more on the configuration before jumping to any conclusions.

Which version of PAN-OS are you running at the moment?

Thanks,

Nick

goku123
L7 Applicator

Also, one quick question. Are you running PAN OS 5.0.1 or 5.0.2? An XML ordering issue has been addressed in PAN OS 5.0.3 which could cause commit to fail with a similar message:

47133—Fixed a zone validation failure that occurred because the network zone was incorrectly recorded in the device configuration XML file.

The XML node for the zone expects the zone name to be of the form (in 5.0.1/5.0.2):

zone {

ZONE_NAME {

network {

layer3

If the XML equivalent for your zone "VSYS24_ext_zone" is generated differently, then the commit may fail.

ppater
Not applicable

Hello Nick,

I am running 4.1.9 in an Active/Active setup with panorama as management device for the policies.

Attached the requested information.

I have an workaround by configuring the zone as "any". But it would be nice if I can use the VSYSx_ext_zone.

By using the external zone works for me in other cases, but the strange thing that I can't use it within vsys9

Thanks.

Best Regards,

Patrick

ppater
Not applicable

Hi,

anyone an idea what my problem could be?

ncampagna
Palo Alto Networks Guru

Hi Patrick,

Sorry for the late response on this. I don't see anything wrong with your configuration. Could you please file a case with support so that we can take a closer look at the issue?

Thanks,

Nick

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!