01-14-2019 09:26 AM
We have a multivsys system with extensive configuration in which we have been asked to consolidate into a single vsys. I have worked in Expedition, uploading two configuration and manually moving things over. I have tried load merging the configuation and only copying the vsys information into a single vsys. All met with varying level of success. There seems to be little to no documentation that I have been able to find.
My questions are - Is the possible? And what are the best ways to accomplish merging a multivsys system into a single vsys?
01-14-2019 12:50 PM
Okay cool. So there is no real method for merging vsys except for doing it essentially by hand. This is really going to suck.
06-08-2022 11:19 AM
I used Expedition to combine the different vsys in to the same configuration vsys on my base config. I had to do a lot of clean up, but it was not as bad as I thought. Using the CLI to merge the config by @TomYoung works to, essentially the same thing, but you dont have as good of clean up tools.
01-14-2019 10:04 AM
There is a lot of configuration statements that need to be removed, modified, and the like when moving from a multi-vsys system to a sole vsys system. I would really recommend completely rebuilding the configuration file instead of actually using the Expedition tool to do so. This allows you to ensure that everything gets rebuilt correctly.
This is possible, but it's a lot of work to do as you can't easily merge the statements and have it function correctly.
01-14-2019 10:35 AM
I want to make sure I understand what you are saying. I can take multiple physical palo altos, merge the configuration. I would need to check the routing, interfaces and policies. And that would work with some hiccups, but is possible and something that is supported by Palo Alto. If I were to take a single PA with a multi vsys setup, I have to recreate everything from scratch?
01-14-2019 11:10 AM
You don't have to completely re-create the configuration file; the reason that I would recommend doing so is that it generally takes less time then going back and taking out all of the unnecessary statements and verifying that the entire syntax is correct and the configuration file will actually pass the validatation process.
01-14-2019 12:50 PM
Okay cool. So there is no real method for merging vsys except for doing it essentially by hand. This is really going to suck.
05-30-2022 12:48 PM - edited 06-08-2022 12:47 PM
Hi @miguelgzz ,
With regard to moving bulk configuration, the 2 main ways are through CLI and load config partial. CLI is the easier of the two by far. Here is a doc that shows how to "Import Palo Alto Networks Firewall Configurations into Panorama" https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Clf2CAC&refURL=http%3A%2F%... but it can be easily modified to move a config from 1 vsys to another.
Load config partial can actually be faster, but takes longer to learn. https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-cli-quick-start/use-the-cli/load-configurations... The Xpath (XML path) is the trickiest, but can easily be looked up in the API Browser. https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-panorama-api/get-started-with-the-pan-os-xml-ap... There is also an API Debug -> https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-panorama-api/get-started-with-the-pan-os-xml-ap....
Thanks,
Tom
Edit: Thank you @blwavg for the 3rd option of Expedition! It DOES have excellent cleanup tools. Did you import export configs or push the changes via API from Expedition?
06-08-2022 11:19 AM
I used Expedition to combine the different vsys in to the same configuration vsys on my base config. I had to do a lot of clean up, but it was not as bad as I thought. Using the CLI to merge the config by @TomYoung works to, essentially the same thing, but you dont have as good of clean up tools.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
