- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
06-22-2018 06:21 AM
Hello,
One of our customer wants to implement VSYS. Currently, the current firewall is Checkpoint appliance (around 900 rules)..
The idea is to replicated the config from the Checkpoint to the PA with only one VSYS to avoid a big bang...
So I will create all zone (in the only one VSYS in the beginning) and policy between zone.
Until now, everything is OK...
The next phase will be to the divide the initial VSYS to 3 or 4 VSYS (only on routing table for all VSYS).
It seems it's not possible to move zone (and thus policies) between VSYS (interface/subinterface can be moved) when its' created...
So does it mean I need to recreate zone and policies in the new VSYS ?
PS: I known that the destination zone will change because the destination zone will be in another VSYS...
Any idea to eliminate the needs to recreate zone and policies and to avoid granular rulebase review everytime we add a new VSYS...
Regards,
HA
06-22-2018 11:47 AM
Because of the way that the firewall actually handles VSYS you can't actually move it between VSYS directly in the GUI; because that kind of ruins the whole point of VSYS being a totally seperate virtual System. What you can do, and what I would recommend in this situation, is moving the policies directly through the XML or the Migration Tool by simply cutting the code from one VSYS location and copying it the next.
Just a word of caution in how you are doing this currently; I've found companies that implement with the design of moving to a multi VSYS configuration once the firewall is already processing traffic, it never actually happens. I would highly recommend pushing them to allow you to do the configuration of the multiple VSYS before the firewall is actually in production. This design simply duplicates a lot of work regardless of how you actually make this change once it's been put in place.
06-24-2018 11:18 PM
Hello,
First, thanks a lot for your reply.
What's do you mean by 'it never actually happens' ??
Is it not enough to reboot the firewall (after moving the interface to the correct VSYS') ??
In my case, a maintenance window will be available to perform such kind of operations...
Regards,
HA
06-25-2018 06:59 AM
What I meant was that when companies attempt to setup the configuration with a single VSYS to get everything functional with minimal changes with the intent to eventually switch to a multi-VSYS setup, they hardly ever actually make it to a multi-VSYS deployment. Once you have a working system in production moving to a multi-VSYS deployment is the steps to move the configuration over to a multi-VSYS and update the routing and security policies appropriately is a lot of work, with a large possibility of downtime as you work through any issues that may arise.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!