Multiple Portals Same Template Panorama Multiple Vsys

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Multiple Portals Same Template Panorama Multiple Vsys

L4 Transporter

I'm trying to see if there is a good way to use templates to create 2 different global protect portals using panorama.   This would be used as a failover scenario, and ease changes, allowing us to use 1 template to configure both firewalls.    Name and fqdn would be the same, just failover to the other IP.   

 

Problem is that I can't seem to find out how to capitalize on using a template when it comes down to using the same setup, but on different firewalls on a specific vsys (not vsys1).  I know variables solve the problem of ip's, but I think certificates may be a problem too.   Multiple vsys and one template config across 2 different firewalls. Solution?

1 accepted solution

Accepted Solutions

Maybe I don't understand what you mean, but in a new template by default vsys1 is created. But then you can add the vsys with the name you like:

vsys_remo_0-1624480849455.png

After that you could even delete vsys1 from this template so that it only contains the configuration for this one specific vsys you need. When you then add this template to a template stack the configuration from the VPN vsys is applied there where you need it.

View solution in original post

9 REPLIES 9

L7 Applicator

Hi @Sec101 

As long as the name (in panorama) for the vsys is the same, this shouldn't be a problem. Also the certificate then can be imported in this template and is then applied to both firewalls.

If you open a new template, are you able to specify anything other than vsys1 - in the vsys designation?  I may be doing something wrong- but it looks like I can only select vsys1?  Do you just type the name in manually?

Hello there

 

Here is a point to consider.... every FW (from the vm firewalls to the highest 7000 series) all have a vsys called vsys1. 

So, Panorama technically manages vsys, not firewalls.

My point here,  how are you adding into the Panorama that you want to have vsys/2 or vsys/3, etc?

I think you need to add in your serial (00700032423434 with a / and the vsys you want to manage)

So my example:  0070003242649/2, then 0070003242649/3

 

Now each "firewall" can be put into its own template.

 

 

Help the community: Like helpful comments and mark solutions

Is this even in a existing template stack when adding a completely new template that you would want to add into an existing stack?  The option to change to a different vsys in a new template that you would want to add to a template stack is either vsys1 or none it seems?. I also see the firewall/vsys on the device groups side, but that doesn't appear to exist on the template side i think, other than the already existing template- where I am able to select which is the default vsys (names included).   Its like panorama doesn't know about the mult-vsys in a brand new template.  I tried adding it to the stack even, but it still won't allow me to choose the vsys to force that configuration to (would like to do this across firewall with a few variables- but this would be a newly added template into an existing multivsys stack- so the new template would have to designate an already existing vsys that only exists in that stack.  

Hi @Sec101 

Panorama actually doesn't care about the internal firewall-vsys-names (vsys1, vsys2, vsys3, ...). In panorama you create a template with a name like "VPN". If you then apply this template to a firewall, the configuration will be applied to the vsys with the name "VPN". There it does not matter if this vsys "VPN"  is vsys2 on firewall 1 ond vsys4 for example on firewall 2. So with this theoretically your requirement should be configurable but there probably stilm are some stones in the way aka dependent configurations. So if there are other configurations in the same vsys on the two firewalls you might need to change some of these into the template for the vsys "VPN".

@SCantwell_IM are you talking about the device groups? As these are applied to 0070003242649/VSYSNAME. The templates need to be added to template stacks to which actual firewalls (without vsys) are attached.

Maybe I don't understand what you mean, but in a new template by default vsys1 is created. But then you can add the vsys with the name you like:

vsys_remo_0-1624480849455.png

After that you could even delete vsys1 from this template so that it only contains the configuration for this one specific vsys you need. When you then add this template to a template stack the configuration from the VPN vsys is applied there where you need it.

That is exactly what I meant.  Thank you @Remo !   So now, my only question is, I'm guessing I can have two templates managing the same vsys, as long as there are no overlaps in the configuration correct?   I know the top down precedence order in stacking, but when it comes to multiple templates managing the same vsys, does it work the same way?

@Sec101 yes, it works the same way. As long as you have no overlaps all the configurations will be applied.

(If there are overlaps then, the configuration from the template with the higher priority (higher in the list of templates in the template stack) will be used)

  • 1 accepted solution
  • 4920 Views
  • 9 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!