Enabling multi vsys on a prod firewall.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Enabling multi vsys on a prod firewall.

L1 Bithead

I’m planning to create multi vsys on my palo alto. I just wanted to know if my existing configuration (interfaces, aggregate interfaces and rulebase) will be moved as it is to vsys1 or they need to be mived manually?

 

I have aggregate interfaces layer 2 in my environment so I need to assign vlan interfaces to vsys and keep parent port in no vsys or an admin vsys. Will that work?

3 REPLIES 3

L1 Bithead

I checked and my assumption about rulebase and configuration part was correct. Everything is under same vsys i.e vsys1.

 

But i’m not sure about assigning aggregate interface with no Vsys, as Every interface needs vsys configuration.

Cyber Elite
Cyber Elite

@mudassar216,

So everything you already have configured is technically already in vsys1 outside of shared objects, so nothing really "moves" when you enable multi-vsys as it's already present in the default vsys1. So every interface you have configured, including your aggregate, is already technically in vsys1. 

Your aggregate interface needs to be assigned to a vsys and can't be left unassigned. I've never honestly tried having the VLANs split out between vsys coming across an AE assigned to another vsys, but I would guess that this would be an invalid configuration.

@BPry 

Yes the first part is correct. I already tried it 🙂

 

For the aggregate interface, what I did is removed the agg interface itself from under vsys and kept it’s vlan interfaces in required vsys. I was able to do that but I couldn’t test if the setup was working. Will check and confirm.

  • 3884 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!