03-26-2021 03:35 AM
Hi team,
We have a Juniper firewall configuration with 4 VSD(virtual security device) and we want to migrate that kind of configuration on Palo Alto.
We have tried to migrate that configuration but we didn't find this capability on palo alto firewall.
Does exist any similiar capability in palo alto?
Thanks ,
Regards.
03-26-2021 12:03 PM - edited 03-26-2021 12:06 PM
Better test the Palo Alto as you can also create sub interfaces from one physical and attach them to a vsys. Each VSYS will have its own virtual router and there is an option one vsys to send the traffic to another vsys if needed.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFgCAK
Also shared objects can be configured, so that when you configure one object to be present in all vsys:
For VSYS active/active there is not exactly the same but you can check below post as the chassis are in active/active and a virtual ip address is used that active just on one of the chassis and standby on the other. The virtual ip will e related to a specific vsys, so for example vsys 1 will be get the traffic on chassis 1 and vsys 2 will get the traffic on chassis2:
I suggest asking palo alto for a demo and can we close this thread as it is better to test this with a live demo ?
03-26-2021 04:17 AM - edited 03-26-2021 04:19 AM
Read about Palo Alto virtual systems as it is similart to VSD but you need to have the correct palo Alto model and license for VSYS:
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/virtual-systems/virtual-systems-overview
Also the Palo Alto migration tool could be tested to migrate the security configuration to some extend:
https://www.paloaltonetworks.com/products/secure-the-network/next-generation-firewall/migration-tool
03-26-2021 07:01 AM - edited 03-26-2021 07:03 AM
I think that this solution is not valid because in the configuration each subinterface needs an IP. For example
(belongs VSD 0)set interface ethernet0 / 0.99 ip X.Y.Z.32/24
(belongs VSD 0)set interface ethernet0 / 0.99 route
(belongs VSD 1)set interface ethernet0 / 0.99: 1 ip X.Y.Z.30/24
(belongs VSD 1)set interface ethernet0 / 0.99: 1 route
(belongs VSD 2)set interface ethernet0 / 0.99: 2 ip X.Y.Z.29/24
(belongs VSD 2)set interface ethernet0 / 0.99: 2 route
(belongs VSD 3)set interface ethernet0 / 0.99: 3 ip X.Y.Z.31/24
(belongs VSD 3)set interface ethernet0 / 0.99: 3 route
They also share the same security policies, objects, and the rest of the configuration. And the cluster configuration is active / active. VSD 0 and 2 are active on firewall A and passive on firewall B. AND VSD 1 and 3 are active on firewall B and passive on firewall A.
https://kb.juniper.net/InfoCenter/index?page=content&id=KB7051&cat=NS_204&actp=LIST
03-26-2021 12:03 PM - edited 03-26-2021 12:06 PM
Better test the Palo Alto as you can also create sub interfaces from one physical and attach them to a vsys. Each VSYS will have its own virtual router and there is an option one vsys to send the traffic to another vsys if needed.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFgCAK
Also shared objects can be configured, so that when you configure one object to be present in all vsys:
For VSYS active/active there is not exactly the same but you can check below post as the chassis are in active/active and a virtual ip address is used that active just on one of the chassis and standby on the other. The virtual ip will e related to a specific vsys, so for example vsys 1 will be get the traffic on chassis 1 and vsys 2 will get the traffic on chassis2:
I suggest asking palo alto for a demo and can we close this thread as it is better to test this with a live demo ?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
