Focus

Device Group Push to a Multi-VSYS Firewall

Table of Contents

Device Group Push to a Multi-VSYS Firewall

Device group pushes from the Panorama™ management server to a multi-VSYS managed firewall are bundled into a single job.
Device group configuration changes pushed manually or from a scheduled configuration push of a device groups from the Panorama™ management server to a multi-vsys firewall are automatically bundled into a single job. When a push is executed from Panorama to managed firewalls, Panorama inspects the managed firewalls associated with the device group push. If Panorama detects that multiple vsys belonging to the same multi-vsys firewall are associated with a device group push, it bundles the commit job for each vsys into a single commit job on the managed firewall to reduce the overall commit job completion time.
If one of the bundled commit jobs fails, then the entire push fails and you need to push entire the device group configuration changes from Panorama again. Additionally, if multiple multi-vsys firewalls are included in a push from Panorama and one push fails, then the entire push fails to all firewalls included in the push from Panorama. When you monitor the device group push locally on the firewall, a single job is displayed rather than multiple individual jobs. If any warnings are failures occur, an error description indicating the impacted vsys is displayed.
This functionality is supported for multi-vsys firewalls managed by Panorama running PAN-OS 10.2 and later releases by default. Palo Alto Networks recommends that all vsys of a multi-vsys managed firewall be managed by Panorama. After a successful upgrade to PAN-OS 10.2, a full commit and push from Panorama to managed firewalls is required to perform an administrator-level push, which optimizes shared object pushes to multi-vsys firewalls as described below. If a full commit and push are not performed after upgrade, then all subsequent pushes to multi-vsys firewall fail due to duplicate objects and all shared configuration objects are saved to the Panorama location, rather than the optimized Panorama Shared location.

Shared Objects Pushed to a Multi-VSYS Firewall

To reduce the operational burden of scaling configurations for multi-vsys firewalls, shared configuration objects pushed to a multi-vsys firewall are pushed to the Panorama Shared location on the managed multi-vsys firewall. The Panorama Shared location is available to all vsys of the firewall, meaning that shared objects are not replicated to each vsys.
The shared optimization setting offers the following levels of control for managing shared objects in multi-vsys environments:
  • None: This mode disables the shared optimization feature entirely, reverting to legacy behavior where shared objects are duplicated across each vsys.
  • Partial: The Partial shared optimization mode moves only a subset of firewall objects to the Shared location of the configuration of the firewall. This subset includes common objects such as addresses or address groups, services or service groups, tags, and specific applications or application groups. By default, the shared optimization mode is set to Partial.
  • (PAN-OS 12.1.0 and later releases) Full: The Full shared optimization mode moves all firewall objects into the shared location. This comprehensive optimization includes objects that the Partial mode does not, further enhancing efficiency.
    You can enable full shared optimization after an upgrade using the command line interface (CLI) command:
    set deviceconfig setting management shared-optimization [full|partial|none]
  • Ensure you commit your changes after modifying the shared-optimization setting for the new configuration to take effect.
  • After you commit changes to the shared-optimization setting, perform a full push to all multi-vsys firewalls that are out-of-sync.
(11.2.x and earlier releases)
The following configurations can't be added to the Shared Panorama location and are replicated to the Panorama location of each vsys of a multi-vsys firewall.
  • Pre and Post Rules
  • External Dynamic Lists (EDL)
  • Security Profile Groups
  • HIP objects and profiles
  • Custom URL objects
  • Decryption Profiles
  • SD-WAN Link Management Profiles
If a Panorama Shared object is overridden in a device group, a new object with the same name but with the overridden value is created in the Panorama location of that device group and pushed to all vsys of a multi-vsys firewall. If a configuration object with the same name is present in both the Panorama and the Panorama Shared locations, preference in the configuration is given to the object in the Panorama location as because it is specific to that vsys on the firewall.
For example, the vsys below shows the Addr-Shared-1 address object in both the Panorama Shared and Panorama locations. If the Addr-Shared-1 object is used in a policy rule, the 1.0.0.1 IP address is used.
(Best Practice) When making configuration changes to shared objects on a multi-vsys firewall, ensure that you push the configuration changes to all device groups and vsys associated with the target firewall.
For example, in a multi-vsys firewall where vsys1 is in device group 1, vsys2 is in device group 2, and vsys3 is in device group 3, after making a configuration change to any shared object, ensure that you push the configuration change to all three device groups.