05-26-2023 10:46 AM
Hi @Metgatz ,
I see that no one with more experience has jumped it. I will give you my $.02. That may be all it is worth. 😀 I hope I don't write anything inaccurate.
The 1st question to ask yourself is why do you want to do virtual systems? My answer is for separate administration, e.g. different people will manage the different virtual systems. If your goal is traffic segmentation, that can be handled with separate virtual routers, zones, interfaces, and policy rules.
Now, have any of you had to deal with something like this? I imported NGFWs with vsys into Panorama.
Does it involve reboots? No.
Does it involve situations or limitations with Panorama and the vsys? Not that I am aware. https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PLsWCAW
Will it be transparent for the current Template and Device Groups? Yes. The templates will remain the same with a vsys options for interfaces, zones, etc. A new device (vsys2) should show up in Panorama that you can assign to different device groups.
Is it necessary to do onboarding of the new vsys? I don't think so.
What are the major issues to review, validate and take special care for this environment? I did not have any issues with my one customer. It is useful to know that the commit is done for the whole NGFW. https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-new-features/panorama-features/device-group-pus...
If you go forward, please post how it goes!
Thanks,
Tom
