Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Convert VSD Juniper(Screen OS) configuration to Palo Alto

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Convert VSD Juniper(Screen OS) configuration to Palo Alto

L0 Member

Hi team,

We have a Juniper firewall configuration with 4 VSD(virtual security device) and we want to migrate that kind of configuration on Palo Alto.

We have tried to migrate that configuration but we didn't find this capability on palo alto firewall.

Does exist any similiar capability in palo alto?

Thanks ,
Regards.

1 accepted solution

Accepted Solutions

Better test the Palo Alto as you can also create sub interfaces from one physical and attach them to a vsys. Each VSYS will have its own virtual router and there is an option one vsys to send the traffic to another vsys if needed.

 

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFgCAK

 

 

Also shared objects can be configured, so that when you configure one object to  be present in all vsys:

 

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/virtual-systems/virtual-systems-overview/s...

 

 

For VSYS active/active there is not exactly the same but you can check below post as the chassis are in active/active and a virtual ip address is used that active just on one of the chassis  and standby on the other. The virtual ip will e related to a specific vsys, so for example vsys 1 will be get the traffic on chassis 1 and vsys 2 will get the traffic on chassis2:

 

 

https://live.paloaltonetworks.com/t5/general-topics/ha-active-active-mode-with-multi-vsys/td-p/27863...

 

 

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/high-availability/ha-concepts/floating-ip-...

 

 

 

 

I suggest asking palo alto for a demo and can we close this thread as it is better to test this with a live demo ?

View solution in original post

3 REPLIES 3

L6 Presenter

Read about Palo Alto virtual systems as it is similart to VSD but you need to have the correct palo Alto model and license for VSYS:

 

 

https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/virtual-systems/virtual-systems-overview

 

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/virtual-systems/virtual-systems-overview/p...

 

Also the Palo Alto migration tool could be tested to migrate the security configuration to some extend:

 

https://www.paloaltonetworks.com/products/secure-the-network/next-generation-firewall/migration-tool

I think that this solution is not valid because in the configuration each subinterface needs an IP. For example

(belongs VSD 0)set interface ethernet0 / 0.99 ip X.Y.Z.32/24
(belongs VSD 0)set interface ethernet0 / 0.99 route
(belongs VSD 1)set interface ethernet0 / 0.99: 1 ip X.Y.Z.30/24
(belongs VSD 1)set interface ethernet0 / 0.99: 1 route
(belongs VSD 2)set interface ethernet0 / 0.99: 2 ip X.Y.Z.29/24
(belongs VSD 2)set interface ethernet0 / 0.99: 2 route
(belongs VSD 3)set interface ethernet0 / 0.99: 3 ip X.Y.Z.31/24
(belongs VSD 3)set interface ethernet0 / 0.99: 3 route

 

They also share the same security policies, objects, and the rest of the configuration. And the cluster configuration is active / active. VSD 0 and 2 are active on firewall A and passive on firewall B. AND VSD 1 and 3 are active on firewall B and passive on firewall A.

 

https://kb.juniper.net/InfoCenter/index?page=content&id=KB7051&cat=NS_204&actp=LIST

Better test the Palo Alto as you can also create sub interfaces from one physical and attach them to a vsys. Each VSYS will have its own virtual router and there is an option one vsys to send the traffic to another vsys if needed.

 

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFgCAK

 

 

Also shared objects can be configured, so that when you configure one object to  be present in all vsys:

 

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/virtual-systems/virtual-systems-overview/s...

 

 

For VSYS active/active there is not exactly the same but you can check below post as the chassis are in active/active and a virtual ip address is used that active just on one of the chassis  and standby on the other. The virtual ip will e related to a specific vsys, so for example vsys 1 will be get the traffic on chassis 1 and vsys 2 will get the traffic on chassis2:

 

 

https://live.paloaltonetworks.com/t5/general-topics/ha-active-active-mode-with-multi-vsys/td-p/27863...

 

 

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/high-availability/ha-concepts/floating-ip-...

 

 

 

 

I suggest asking palo alto for a demo and can we close this thread as it is better to test this with a live demo ?

  • 1 accepted solution
  • 3015 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!