: Device Group Push to a Multi-VSYS Firewall
Focus
Focus

Device Group Push to a Multi-VSYS Firewall

Table of Contents

Device Group Push to a Multi-VSYS Firewall

Device group pushes from the Panorama™ management server to a multi-VSYS managed firewall are bundled into a single job.
Device group configuration changes pushed manually or from a scheduled configuration push of a device groups from the Panorama™ management server to a multi-vsys firewall are automatically bundled into a single job. When a push is executed from Panorama to managed firewalls, Panorama inspects the managed firewalls associated with the device group push. If Panorama detects that multiple vsys belonging to the same multi-vsys firewall are associated with a device group push, it bundles the commit job for each vsys into a single commit job on the managed firewall to reduce the overall commit job completion time.
If one of the bundled commit jobs fails, then the entire push fails and you need to push entire the device group configuration changes from Panorama again. Additionally, if multiple multi-vsys firewalls are included in a push from Panorama and one push fails, then the entire push fails to all firewalls included in the push from Panorama. When you monitor the device group push locally on the firewall, a single job is displayed rather than multiple individual jobs. If any warnings are failures occur, an error description indicating the impacted vsys is displayed.
This functionality is supported for multi-vsys firewalls managed by Panorama running PAN-OS 10.2 and later releases by default. Palo Alto Networks recommends that all vsys of a multi-vsys managed firewall be managed by Panorama. After a successful upgrade to PAN-OS 10.2, a full commit and push from Panorama to managed firewalls is required to perform an administrator-level push which optimizes shared object pushes to multi-vsys firewalls as described below. If a full commit and push is not performed after upgrade, then all subsequent pushes to multi-vsys firewall fail due to duplicate objects and all shared configuration objects are saved to the Panorama location, rather than the optimized Panorama Shared location.

Shared Objects Pushed to a Multi-VSYS Firewall

To reduce the operational burden of scaling configurations for multi-vsys firewalls, Shared configuration objects pushed to a multi-vsys firewall are pushed to the Panorama Shared location on the managed multi-vsys firewall. The Panorama Shared location is available to all vsys of the firewall, meaning that Shared objects are not replicated to each vsys.
The following configurations cannot be added to the Shared Panorama location and are replicated to the Panorama location of each vsys of a multi-vsys firewall.
  • Pre and Post Rules
  • External Dynamic Lists (EDL)
  • Security Profile Groups
  • HIP objects and profiles
  • Custom URL objects
  • Decryption Profiles
  • SD-WAN Link Management Profiles
If a Panorama Shared object is overridden in a device group, a new object with the same name but with the overridden value is created in the Panorama location of that device group and pushed to all vsys of a multi-vsys firewall. If the a configuration object with the same name is present in both the Panorama and the Panorama Shared locations, preference in the configuration given to the object in the Panorama location as because it is specific to that vsys on the firewall.
For example, the vsys below shows the Addr-Shared-1 address object in both the Panorama Shared and Panorama locations. If the Addr-Shared-1 object is used in a policy rule, the 1.0.0.1 IP address is used.