How to Change the VSYS from the CLI
Resolution
Overview
When a Palo Alto Networks firewall is enabled with multiple virtual system (multi-vsys) capability in the device management Web GUI or on the CLI, users are able to select the desired vsys to view or amend policies and objects.
Users must have 'Superuser,' 'Device administrator,' or 'Device administrator (read-only)' access level. This command is not available for 'Virtual system administrator' nor 'Virtual system administrator (read-only).'
Steps
By default, the CLI starts in global mode where system statistic and global counters are accumulated from all vsys. Certain configurations such as security, NAT, and PBF do not have a "global" setting. Instead the CLI will return the configuration for the first default vsys1.
To determine if the firewall has multi-vsys enabled use this command:
> show system info | match vsys
multi-vsys: on
To view a list of vsys configured on the firewall use this command:
> set system setting target-vsys ?
none none
vsys1 vsys1
vsys2 vsys2
<value> <value>
To switch to a particular vsys, use the following CLI command to select a virtual system (VSYS). This enables the issuing of commands and collection of data specific to one virtual system (VSYS):
> set system setting target-vsys <value>
Use this command to switch to vsys2:
admin@PA> set system setting target-vsys vsys2
The CLI will return the following if the vsys name is valid.
Session target vsys changed to vsys2
admin@PA-vsys2>
Note: The "-vsys2" in the command prompt indicates which vsys mode is active. Verify that it is in fact the correct and intended vsys before issuing a configuration change.
The vsys name is case-sensitive. See this example:
>admin@PA> set system setting target-vsys VSYS2
Server error : set -> system -> setting -> target-vsys 'VSYS2' is not an allowed keyword
To return to default view use this command:
> set system setting target-vsys none
See this example:
>admin@PA-vsys2> set system setting target-vsys none
The session target vsys changed to none.
>admin@PA>
Note: The -vsys is no longer in the command prompt.
This command is not persistence. Once the admin is logged off and/or logged on to a new session, the system will start in the default global mode. There is no option to set a "default vsys" for CLI.
See Also
owner: spriromruen