How to Consolidate Multi vSys System into a Single vSys?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.
Palo Alto Networks Approved
Palo Alto Networks Approved
Community Expert Verified
Community Expert Verified

How to Consolidate Multi vSys System into a Single vSys?

L2 Linker

We have a multivsys system with extensive configuration in which we have been asked to consolidate into a single vsys. I have worked in Expedition, uploading two configuration and manually moving things over. I have tried load merging the configuation and only copying the vsys information into a single vsys. All met with varying level of success. There seems to be little to no documentation that I have been able to find.

 

My questions are - Is the possible? And what are the best ways to accomplish merging a multivsys system into a single vsys? 

2 accepted solutions

Accepted Solutions

Okay cool. So there is no real method for merging vsys except for doing it essentially by hand. This is really going to suck.

View solution in original post

L2 Linker

I used Expedition to combine the different vsys in to the same configuration vsys on my base config. I had to do a lot of clean up, but it was not as bad as I thought. Using the CLI to merge the config by @TomYoung works to, essentially the same thing, but you dont have as good of clean up tools. 

View solution in original post

7 REPLIES 7

Cyber Elite
Cyber Elite

@blwavg,

There is a lot of configuration statements that need to be removed, modified, and the like when moving from a multi-vsys system to a sole vsys system. I would really recommend completely rebuilding the configuration file instead of actually using the Expedition tool to do so. This allows you to ensure that everything gets rebuilt correctly. 

 

This is possible, but it's a lot of work to do as you can't easily merge the statements and have it function correctly. 

I want to make sure I understand what you are saying. I can take multiple physical palo altos, merge the configuration. I would need to check the routing, interfaces and policies. And that would work with some hiccups, but is possible and something that is supported by Palo Alto. If I were to take a single PA with a multi vsys setup, I have to recreate everything from scratch?

@blwavg,

You don't have to completely re-create the configuration file; the reason that I would recommend doing so is that it generally takes less time then going back and taking out all of the unnecessary statements and verifying that the entire syntax is correct and the configuration file will actually pass the validatation process. 

 

Okay cool. So there is no real method for merging vsys except for doing it essentially by hand. This is really going to suck.

L1 Bithead

Hi @blwavg 

 

How did you go with the migration? I am trying to do the exact same thing.

 

Regards

Cyber Elite
Cyber Elite

Hi @miguelgzz ,

 

With regard to moving bulk configuration, the 2 main ways are through CLI and load config partial.  CLI is the easier of the two by far.  Here is a doc that shows how to "Import Palo Alto Networks Firewall Configurations into Panorama" https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Clf2CAC&refURL=http%3A%2F%... but it can be easily modified to move a config from 1 vsys to another.

 

Load config partial can actually be faster, but takes longer to learn.  https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-cli-quick-start/use-the-cli/load-configurations...  The Xpath (XML path) is the trickiest, but can easily be looked up in the API Browser.  https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-panorama-api/get-started-with-the-pan-os-xml-ap...  There is also an API Debug -> https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-panorama-api/get-started-with-the-pan-os-xml-ap....

 

Thanks,

 

Tom

 

Edit:  Thank you @blwavg for the 3rd option of Expedition!  It DOES have excellent cleanup tools.  Did you import export configs or push the changes via API from Expedition?

Help the community: Like helpful comments and mark solutions.

L2 Linker

I used Expedition to combine the different vsys in to the same configuration vsys on my base config. I had to do a lot of clean up, but it was not as bad as I thought. Using the CLI to merge the config by @TomYoung works to, essentially the same thing, but you dont have as good of clean up tools. 

  • 2 accepted solutions
  • 5077 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!