How to Change the VSYS from the CLI

How to Change the VSYS from the CLI

139097
Created On 09/25/18 19:48 PM - Last Modified 04/20/20 21:49 PM


Resolution


Overview

When a Palo Alto Networks firewall is enabled with multiple virtual system (multi-vsys) capability in the device management Web GUI or on the CLI, users are able to select the desired vsys to view or amend policies and objects.

Users must have 'Superuser,' 'Device administrator,' or 'Device administrator (read-only)' access level. This command is not available for 'Virtual system administrator' nor 'Virtual system administrator (read-only).'

Steps

By default, the CLI starts in global mode where system statistic and global counters are accumulated from all vsys. Certain configurations such as security, NAT, and PBF do not have a "global" setting. Instead the CLI will return the configuration for the first default vsys1.

To determine if the firewall has multi-vsys enabled use this command:

> show system info | match vsys

multi-vsys: on

To view a list of vsys configured on the firewall use this command:

> set system setting target-vsys ?

none     none

vsys1    vsys1

vsys2    vsys2

<value>  <value>

To switch to a particular vsys, use the following CLI command to select a virtual system (VSYS). This enables the issuing of commands and collection of data specific to one virtual system (VSYS):

> set system setting target-vsys <value>

Use this command to switch to vsys2:

admin@PA> set system setting target-vsys vsys2

The CLI will return the following if the vsys name is valid.

Session target vsys changed to vsys2

admin@PA-vsys2>

Note: The "-vsys2" in the command prompt indicates which vsys mode is active. Verify that it is in fact the correct and intended vsys before issuing a configuration change.

The vsys name is case-sensitive. See this example:

>admin@PA> set system setting target-vsys VSYS2

Server error : set -> system -> setting -> target-vsys 'VSYS2' is not an allowed keyword

To return to default view use this command:

> set system setting target-vsys none

See this example:

>admin@PA-vsys2> set system setting target-vsys none

The session target vsys changed to none.

>admin@PA>

Note: The -vsys is no longer in the command prompt.

This command is not persistence. Once the admin is logged off and/or logged on to a new session, the system will start in the default global mode. There is no option to set a "default vsys" for CLI.

See Also

Virtual Systems (VSYS)

owner: spriromruen
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CldyCAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language