topic Convert VSD Juniper(Screen OS) configuration to Palo Alto in General Topics

Convert VSD Juniper(Screen OS) configuration to Palo Alto

Fjrubiab — Fri, 26 Mar 2021 10:35:06 GMT

Hi team,

We have a Juniper firewall configuration with 4 VSD(virtual security device) and we want to migrate that kind of configuration on Palo Alto.

We have tried to migrate that configuration but we didn't find this capability on palo alto firewall.

Does exist any similiar capability in palo alto?

Thanks ,
Regards.

Re: Convert VSD Juniper(Screen OS) configuration to Palo Alto

nikoolayy1 — Fri, 26 Mar 2021 11:19:03 GMT

Read about Palo Alto virtual systems as it is similart to VSD but you need to have the correct palo Alto model and license for VSYS:

https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/virtual-systems/virtual-systems-overview

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/virtual-systems/virtual-systems-overview/platform-support-and-licensing-for-virtual-systems.html

Also the Palo Alto migration tool could be tested to migrate the security configuration to some extend:

https://www.paloaltonetworks.com/products/secure-the-network/next-generation-firewall/migration-tool

Re: Convert VSD Juniper(Screen OS) configuration to Palo Alto

Fjrubiab — Fri, 26 Mar 2021 14:03:15 GMT

I think that this solution is not valid because in the configuration each subinterface needs an IP. For example

(belongs VSD 0)set interface ethernet0 / 0.99 ip X.Y.Z.32/24
(belongs VSD 0)set interface ethernet0 / 0.99 route
(belongs VSD 1)set interface ethernet0 / 0.99: 1 ip X.Y.Z.30/24
(belongs VSD 1)set interface ethernet0 / 0.99: 1 route
(belongs VSD 2)set interface ethernet0 / 0.99: 2 ip X.Y.Z.29/24
(belongs VSD 2)set interface ethernet0 / 0.99: 2 route
(belongs VSD 3)set interface ethernet0 / 0.99: 3 ip X.Y.Z.31/24
(belongs VSD 3)set interface ethernet0 / 0.99: 3 route

They also share the same security policies, objects, and the rest of the configuration. And the cluster configuration is active / active. VSD 0 and 2 are active on firewall A and passive on firewall B. AND VSD 1 and 3 are active on firewall B and passive on firewall A.

https://kb.juniper.net/InfoCenter/index?page=content&id=KB7051&cat=NS_204&actp=LIST

Re: Convert VSD Juniper(Screen OS) configuration to Palo Alto

nikoolayy1 — Fri, 26 Mar 2021 19:06:02 GMT

Better test the Palo Alto as you can also create sub interfaces from one physical and attach them to a vsys. Each VSYS will have its own virtual router and there is an option one vsys to send the traffic to another vsys if needed.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFgCAK

Also shared objects can be configured, so that when you configure one object to be present in all vsys:

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/virtual-systems/virtual-systems-overview/shared-objects-for-virtual-systems.html

For VSYS active/active there is not exactly the same but you can check below post as the chassis are in active/active and a virtual ip address is used that active just on one of the chassis and standby on the other. The virtual ip will e related to a specific vsys, so for example vsys 1 will be get the traffic on chassis 1 and vsys 2 will get the traffic on chassis2:

https://live.paloaltonetworks.com/t5/general-topics/ha-active-active-mode-with-multi-vsys/td-p/278637

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/high-availability/ha-concepts/floating-ip-address-and-virtual-mac-address.html

I suggest asking palo alto for a demo and can we close this thread as it is better to test this with a live demo ?