Device Group Push to a Multi-VSYS Firewall
Table of Contents
Device Group Push to a Multi-VSYS Firewall
Device group pushes from the Panorama™ management server
to a multi-VSYS managed firewall are bundled into a single job.
Device group configuration changes pushed
manually or from a scheduled configuration
push of a device groups from the Panorama™ management server
to a multi-vsys firewall are
automatically bundled into a single job. When a push is executed
from Panorama to managed firewalls, Panorama inspects the managed firewalls
associated with the device group push. If Panorama detects that
multiple vsys belonging to the same multi-vsys firewall are associated
with a device group push, it bundles the commit job for each vsys
into a single commit job on the managed firewall to reduce the overall
commit job completion time.
If one of the bundled commit jobs fails, then
the entire push fails and you need to push entire the device group
configuration changes from Panorama again. Additionally, if multiple
multi-vsys firewalls are included in a push from Panorama and one push
fails, then the entire push fails to all firewalls included in the
push from Panorama. When you monitor the device group push locally
on the firewall, a single job is displayed rather than multiple
individual jobs. If any warnings are failures occur, an error description
indicating the impacted vsys is displayed.
This functionality is supported for multi-vsys firewalls managed
by Panorama running PAN-OS 10.2 and later releases by default. Palo Alto
Networks recommends that all vsys of a multi-vsys managed firewall be managed by
Panorama. After a successful upgrade to PAN-OS 10.2, a full commit and
push from Panorama to managed firewalls is required to perform an administrator-level push, which optimizes
shared object pushes to multi-vsys firewalls as described below. If a full commit and
push are not performed after upgrade, then all subsequent pushes to multi-vsys firewall
fail due to duplicate objects and all shared configuration objects are saved to the
Panorama location, rather than the optimized
Panorama Shared location.
Shared Objects Pushed to a Multi-VSYS Firewall
To reduce the operational burden of scaling configurations for multi-vsys firewalls,
shared configuration objects pushed to a multi-vsys firewall are pushed to the
Panorama Shared location on the managed multi-vsys firewall. The Panorama Shared
location is available to all vsys of the firewall, meaning that shared objects are
not replicated to each vsys.
The shared optimization setting offers the
following levels of control for managing shared objects in multi-vsys environments:
- None: This mode disables the shared optimization feature entirely, reverting to legacy behavior where shared objects are duplicated across each vsys.
- Partial: The Partial shared optimization mode moves only a subset of firewall objects to the Shared location of the configuration of the firewall. This subset includes common objects such as addresses or address groups, services or service groups, tags, and specific applications or application groups. By default, the shared optimization mode is set to Partial.
- (PAN-OS 12.1.0 and later releases) Full: The Full shared
optimization mode moves all firewall objects into the shared location. This
comprehensive optimization includes objects that the Partial mode does not,
further enhancing efficiency. You can enable full shared optimization after an upgrade using the command line interface (CLI) command:set deviceconfig setting management shared-optimization [full|partial|none]
- Ensure you commit your changes after modifying the shared-optimization setting for the new configuration to take effect.
- After you commit changes to the shared-optimization setting, perform a full push to all multi-vsys firewalls that are out-of-sync.
(11.2.x and earlier releases)The following configurations can't be added to the Shared Panorama location and are replicated to the Panorama location of each vsys of a multi-vsys firewall.- Pre and Post Rules
- External Dynamic Lists (EDL)
- Security Profile Groups
- HIP objects and profiles
- Custom URL objects
- Decryption Profiles
- SD-WAN Link Management Profiles
![]()
If a Panorama Shared object is overridden in a device group, a new object with the same name but with the overridden value is created in the Panorama location of that device group and pushed to all vsys of a multi-vsys firewall. If a configuration object with the same name is present in both the Panorama and the Panorama Shared locations, preference in the configuration is given to the object in the Panorama location as because it is specific to that vsys on the firewall.For example, the vsys below shows the Addr-Shared-1 address object in both the Panorama Shared and Panorama locations. If the Addr-Shared-1 object is used in a policy rule, the 1.0.0.1 IP address is used.![]()
(Best Practice) When making configuration changes to shared objects on a multi-vsys firewall, ensure that you push the configuration changes to all device groups and vsys associated with the target firewall.For example, in a multi-vsys firewall where vsys1 is in device group 1, vsys2 is in device group 2, and vsys3 is in device group 3, after making a configuration change to any shared object, ensure that you push the configuration change to all three device groups.
