Multiple Portals Same Template Panorama Multiple Vsys

Sec101 · ‎06-22-2021

I'm trying to see if there is a good way to use templates to create 2 different global protect portals using panorama. This would be used as a failover scenario, and ease changes, allowing us to use 1 template to configure both firewalls. Name and fqdn would be the same, just failover to the other IP.

Problem is that I can't seem to find out how to capitalize on using a template when it comes down to using the same setup, but on different firewalls on a specific vsys (not vsys1). I know variables solve the problem of ip's, but I think certificates may be a problem too. Multiple vsys and one template config across 2 different firewalls. Solution?

vsys_remo · ‎06-23-2021

Maybe I don't understand what you mean, but in a new template by default vsys1 is created. But then you can add the vsys with the name you like:

After that you could even delete vsys1 from this template so that it only contains the configuration for this one specific vsys you need. When you then add this template to a template stack the configuration from the VPN vsys is applied there where you need it.

View solution in original post

vsys_remo · ‎06-22-2021

Hi @Sec101

As long as the name (in panorama) for the vsys is the same, this shouldn't be a problem. Also the certificate then can be imported in this template and is then applied to both firewalls.

Sec101 · ‎06-23-2021

If you open a new template, are you able to specify anything other than vsys1 - in the vsys designation? I may be doing something wrong- but it looks like I can only select vsys1? Do you just type the name in manually?

SteveCantwell · ‎06-23-2021

Hello there

Here is a point to consider.... every FW (from the vm firewalls to the highest 7000 series) all have a vsys called vsys1.

So, Panorama technically manages vsys, not firewalls.

My point here, how are you adding into the Panorama that you want to have vsys/2 or vsys/3, etc?

I think you need to add in your serial (00700032423434 with a / and the vsys you want to manage)

So my example: 0070003242649/2, then 0070003242649/3

Now each "firewall" can be put into its own template.

Help the community: Like helpful comments and mark solutions

Sec101 · ‎06-23-2021

Is this even in a existing template stack when adding a completely new template that you would want to add into an existing stack? The option to change to a different vsys in a new template that you would want to add to a template stack is either vsys1 or none it seems?. I also see the firewall/vsys on the device groups side, but that doesn't appear to exist on the template side i think, other than the already existing template- where I am able to select which is the default vsys (names included). Its like panorama doesn't know about the mult-vsys in a brand new template. I tried adding it to the stack even, but it still won't allow me to choose the vsys to force that configuration to (would like to do this across firewall with a few variables- but this would be a newly added template into an existing multivsys stack- so the new template would have to designate an already existing vsys that only exists in that stack.

Multiple Portals Same Template Panorama Multiple Vsys

Multiple Portals Same Template Panorama Multiple Vsys

Show your appreciation!