Overview(Configuration template support in Panorama)
When a virtual system (VSYS) configuration is pushed from a Panorama template to a managed Palo Alto Networks device, the following algorithm is applied on the device:
The device first attempts a name match.
If successful, then the configuration for the matching vsys on the device will receive the configuration pushed from Panorama.
If the name match fails, the device will perform a VSYS ID match on an unnamed vsys
If an ID match succeeds on an unnamed VSYS, then it will receive the name and configuration pushed from Panorama
Finally, if the VSYS ID match fails, a new vsys will be created on the device with the name and configuration pushed from Panorama.
The new vsys will be assigned the next available ID
For example, a templated VSYS is created as vsys3 (ID of 3), and pushed to a managed Palo Alto Networks device.
If the name, vsys3, is not found, then the device will attempt to find an unnamed VSYS with ID of 3.
If an unnamed vsys with ID 3 does not exist, then a new vsys will be created with the name vsys3 (and assigned the next available ID).
Note: In general, it is recommended to apply meaningful names to virtual systems (for example: Finance, Marketing, etc.) instead of the label name “vsys3”, which may be assumed to mean the same as ID = VSYS 3.