Did you configure the HA firewall’s multivsys configuration before you decided to add the firewalls (panos 9.0.8) into Panorama (panos 9.0.8)?

Migrate a Firewall HA Pair to Panorama Management

https://docs.paloaltonetworks.com/panorama/9-0/panorama-admin/manage-firewalls/transition-a-firewall-to-panorama-management/migrate-a-firewall-ha-pair-to-panorama-management.html 

Failed to add imported nodes into Panorama

https://live.paloaltonetworks.com/t5/general-topics/failed-to-add-imported-nodes-into-panorama/m-p/333177#M84166


Once you get all the above squared away, and depending on how you manage your Panorama, you might want to add some already existing templates to your multivsys template stack. For example you might have a template for on-prem firewalls, aws firewalls, datacenter firewalls, etc.

As for me I have the following templates:

Below you can see my template stack for my HA pair:

For my template stack (above), “JD-3220-multi-vsys_stack”, I do not have a “Default VSYS”. This is important to note if you are at the vsys license or software limit for your device.

Here is an example for the above scenario. Below you will see the JD-3220-Primary firewall that has 5 vsys configured. Notice that I do not have a vsys4 ID.

I’ll add a vsys locally on the firewall. And commit

Now that I have 6 vsys configured for the firewall let me show you what happens when I add a template that has a “Default VSYS” defined in the Panorama Template stack. then push to the firewall.

Below is the view of my Panorama template stack again

Now I’ll change the template stack to have the Global-Template removed and add the AWS-Firewalls template.

Now let’s check out what the AWS-Firewalls template has:

Below we don’t have anything assigned for the OnPrem-Firewalls or the Global-Template template

Now lets go ahead and commit these changes on panorama, then push to firewall

What you have to do is remove the “Default VSYS” in the AWS-Firewalls template to get this to work

Im going to test what that means when we add a firewall that has only a single vsys (JD-220) and assign those templates to the JD-220-template_stack.

But lets see what happens when we remove that locally created vsys and push the aws-firewalls template vsys to the firewall


In my experience, and due to my understandings of the PANO-OS limitations, a firewall (panos 9.0.8) that has multvsys' can ONLY belong to one template and one template stack in Panorama (panos 9.0.8). With that said, you cannot have Panorama configured so that there is a template per separate vsys.

What that looks in my Panorama looks like the below:

I haven't found out how to have a certain admin from a specific vsys organization to be able to ONLY view AND manage their respective vsys...w/o being able to view/edit other vsys' network tab/device tab values (template values) 

If you create a local fw admin account to only have access to a specific vsys (using Radius auth, access domain, admin role (plays a large rule in that), authentication profile, and then creating an admin account using the auth profile) the network tab only shows:

- Zones

- GlobalProtect

        Portals

        Gateways

        MDM

        Device Block List

        Clientless Apps

        Clientless App Groups

START OF PANW CONFIG FOR RADIUS, ACCESS DOMAIN, ADMIN ROLE, ALSO WINDOWS SERVER 2016

Let me show you how the radius authentication works w/ the access domain and admin role for the vender specific attributes for the local firewall.

I started with the radius server profile:

Then we configure the access domain

Then we will configure the admin role

Create and admin for the peace vsys

Now we setup the windows radius server

Create the vender specific attribute for the Radius Network Policy to recognize the admin role (Note: the Vendor-assigned attribute number for the admin role is 3. The Vendor Code is 25461)

Create the vender specific attribute for the Radius Network Policy to recognize the access domain (Note: the Vendor-assigned attribute number for the access domain is 4. The Vendor Code is 25461)

I create a condition on the Radius Network Policy to match users who are apart of the on-prem AD security group:

Finally, we configure the AD user to be in the on-prem user group

After that you should be able to authentication to the panw device….granted if you commit all the changes on the panw device:

WHAT DOES THE UI LOOK LIKE WITH AN ADMIN ROLE PROFILE USING THE DEVICE ROLE:

We can change the Admin Role Profile for the local firewall account:

WHAT THE ACCESS DOMAIN/ADMIN ROLE LOOK LIKE FROM THE PANORAMA PERSPECTIVE?

create a panorama admin for a single vsys:

ADMIN ROLE CAN BE CUSTOMIZED

- has access to only the DG for police vsys

Configure RADIUS Authentication

https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/authentication/configure-radius-authentication.html

RADIUS

https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/authentication/authentication-types/radius.html 

Migrate a Firewall HA Pair to Panorama Management

https://docs.paloaltonetworks.com/panorama/9-0/panorama-admin/manage-firewalls/transition-a-firewall-to-panorama-management/migrate-a-firewall-ha-pair-to-panorama-management.html