Convert VSD Juniper(Screen OS) configuration to Palo Alto

Announcements

Changes to the LIVEcommunity experience are coming soon... Here's what you need to know.

Reply
Fjrubiab
L0 Member

Convert VSD Juniper(Screen OS) configuration to Palo Alto

Hi team,

We have a Juniper firewall configuration with 4 VSD(virtual security device) and we want to migrate that kind of configuration on Palo Alto.

We have tried to migrate that configuration but we didn't find this capability on palo alto firewall.

Does exist any similiar capability in palo alto?

Thanks ,
Regards.


Accepted Solutions
NikolayDimitrov
L4 Transporter

Better test the Palo Alto as you can also create sub interfaces from one physical and attach them to a vsys. Each VSYS will have its own virtual router and there is an option one vsys to send the traffic to another vsys if needed.

 

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFgCAK

 

 

Also shared objects can be configured, so that when you configure one object to  be present in all vsys:

 

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/virtual-systems/virtual-systems-overview/s...

 

 

For VSYS active/active there is not exactly the same but you can check below post as the chassis are in active/active and a virtual ip address is used that active just on one of the chassis  and standby on the other. The virtual ip will e related to a specific vsys, so for example vsys 1 will be get the traffic on chassis 1 and vsys 2 will get the traffic on chassis2:

 

 

https://live.paloaltonetworks.com/t5/general-topics/ha-active-active-mode-with-multi-vsys/td-p/27863...

 

 

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/high-availability/ha-concepts/floating-ip-...

 

 

 

 

I suggest asking palo alto for a demo and can we close this thread as it is better to test this with a live demo ?

View solution in original post


All Replies
NikolayDimitrov
L4 Transporter

Read about Palo Alto virtual systems as it is similart to VSD but you need to have the correct palo Alto model and license for VSYS:

 

 

https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/virtual-systems/virtual-systems-overview

 

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/virtual-systems/virtual-systems-overview/p...

 

Also the Palo Alto migration tool could be tested to migrate the security configuration to some extend:

 

https://www.paloaltonetworks.com/products/secure-the-network/next-generation-firewall/migration-tool

Fjrubiab
L0 Member

I think that this solution is not valid because in the configuration each subinterface needs an IP. For example

(belongs VSD 0)set interface ethernet0 / 0.99 ip X.Y.Z.32/24
(belongs VSD 0)set interface ethernet0 / 0.99 route
(belongs VSD 1)set interface ethernet0 / 0.99: 1 ip X.Y.Z.30/24
(belongs VSD 1)set interface ethernet0 / 0.99: 1 route
(belongs VSD 2)set interface ethernet0 / 0.99: 2 ip X.Y.Z.29/24
(belongs VSD 2)set interface ethernet0 / 0.99: 2 route
(belongs VSD 3)set interface ethernet0 / 0.99: 3 ip X.Y.Z.31/24
(belongs VSD 3)set interface ethernet0 / 0.99: 3 route

 

They also share the same security policies, objects, and the rest of the configuration. And the cluster configuration is active / active. VSD 0 and 2 are active on firewall A and passive on firewall B. AND VSD 1 and 3 are active on firewall B and passive on firewall A.

 

https://kb.juniper.net/InfoCenter/index?page=content&id=KB7051&cat=NS_204&actp=LIST

NikolayDimitrov
L4 Transporter

Better test the Palo Alto as you can also create sub interfaces from one physical and attach them to a vsys. Each VSYS will have its own virtual router and there is an option one vsys to send the traffic to another vsys if needed.

 

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFgCAK

 

 

Also shared objects can be configured, so that when you configure one object to  be present in all vsys:

 

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/virtual-systems/virtual-systems-overview/s...

 

 

For VSYS active/active there is not exactly the same but you can check below post as the chassis are in active/active and a virtual ip address is used that active just on one of the chassis  and standby on the other. The virtual ip will e related to a specific vsys, so for example vsys 1 will be get the traffic on chassis 1 and vsys 2 will get the traffic on chassis2:

 

 

https://live.paloaltonetworks.com/t5/general-topics/ha-active-active-mode-with-multi-vsys/td-p/27863...

 

 

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/high-availability/ha-concepts/floating-ip-...

 

 

 

 

I suggest asking palo alto for a demo and can we close this thread as it is better to test this with a live demo ?

View solution in original post

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!