How to move all template configuration in "Shared" location into Vsys1

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Please sign in to see details of an important advisory in our Customer Advisories area.

How to move all template configuration in "Shared" location into Vsys1

L1 Bithead

Hi all,


Some help on this would appreciated.


Evaluating a client panorama that has a variety of templates on it, with much of the configuration in the templates being done in the "Shared" location, and much of it in "vsys1" location, including a number of certificates that have been imported to one or the other inconsistently over the years.


The problem is primarily, I'm trying to setup various settings in Device->Setup->Management such as the SSL/TLS Service Profile, and Local Certificates/Certificate Profiles for secure communication settings etc - and a number of the certificates are stored in vsys1, but the configuration only allows me to reference configuration in "Shared" - this is despite the mode being set to "Single vsys".  So when I try refer to the certificate I want, it won't let me - I have to re-import the certificate into the Shared location and then re-do profiles etc, this is a laborious process and I feel like I must be missing something?


None of the firewalls use multi-vsys, so why would the Device Management settings only be able to refer to configuration in "Shared" location? How do I normalise all of this configuration?


L1 Bithead

I've met this also and just adopted to it as is. Some automation or manipulation over XML config may increase your perfomance and make you life better. This can be a good point to start learning about it: PAN-OS® and Panorama™API Usage Guide (
Regarding why it done like it is done, the answer, I guess, that system allow multi-vsys configuration and XML tree of config adopted to support all possible config.

Cyber Elite
Cyber Elite

Hi @tonyrobson ,


Great question.  I wondered the same thing myself.  On a firewall with the default single vsys, the certificates and SSL/TLS service profiles are stored in shared, although you cannot see or set the location in the GUI.  You can see it in the CLI with the "show shared certificate" and "show shared ssl-tls-service-profile" commands.  So, on the single-vsys NGFW, you can only choose SSL/TLS service profiles in shared from Device > Setup > Management.  I first noticed this behavior on a multi-vsys firewall.  It seems to be built in and cannot be set to choose from vsys1, possibly because PANW does not want device management config tied to a vsys.





Help the community: Like helpful comments and mark solutions.
  • 2 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!