diff --git a/go/pkg/pass1/collect-routers-and-networks.go b/go/pkg/pass1/collect-routers-and-networks.go
index 06cffa96..74a9da94 100644
--- a/go/pkg/pass1/collect-routers-and-networks.go
+++ b/go/pkg/pass1/collect-routers-and-networks.go
@@ -36,7 +36,7 @@ func (c *spoc) collectRoutersAndNetworks() {
 		r1 := l[0]
 		m1 := r1.model.class
 		if r1.model.needManagementInstance {
-			mr := c.getRouter(r1.deviceName, r1.ipV6)
+			mr := c.getManagementInstance(r1)
 			if mr == nil {
 				c.err("Must define unmanaged router:%s\n"+
 					" with attribute 'management_instance'\n"+
diff --git a/go/pkg/pass1/print-code.go b/go/pkg/pass1/print-code.go
index aa554498..f7d2862e 100644
--- a/go/pkg/pass1/print-code.go
+++ b/go/pkg/pass1/print-code.go
@@ -2365,7 +2365,7 @@ func (c *spoc) getDevices() []*router {
 
 func (c *spoc) printPanOS(fd *os.File, l []*router) {
 	r := l[0]
-	mgmt := c.getRouter(r.deviceName, r.ipV6)
+	mgmt := c.getManagementInstance(r)
 	hostnames := mgmt.deviceName
 	ipList := mgmt.interfaces[0].ip.String()
 	if backup := mgmt.backupInstance; backup != nil {
@@ -2393,7 +2393,7 @@ Generated by %s, version %s
 
 func (c *spoc) printNSX(fd *os.File, l []*router) {
 	r := l[0]
-	mgmt := c.getRouter(r.deviceName, r.ipV6)
+	mgmt := c.getManagementInstance(r)
 	hostnames := mgmt.deviceName
 	ipList := mgmt.interfaces[0].ip.String()
 	if backup := mgmt.backupInstance; backup != nil {
diff --git a/go/pkg/pass1/setup-objects.go b/go/pkg/pass1/setup-objects.go
index 94557aef..510758d4 100644
--- a/go/pkg/pass1/setup-objects.go
+++ b/go/pkg/pass1/setup-objects.go
@@ -2867,6 +2867,14 @@ func (c *spoc) getRouter(name string, v6 bool) *router {
 	}
 }
 
+func (c *spoc) getManagementInstance(r *router) *router {
+	mgmt := c.getRouter(r.deviceName, c.conf.IPV6)
+	if mgmt == nil {
+		return c.getRouter(r.deviceName, !c.conf.IPV6)
+	}
+	return mgmt
+}
+
 func (c *spoc) getTypedName(a *ast.Attribute, ctx string) (string, string) {
 	v := c.getSingleValue(a, ctx)
 	typ, name, found := strings.Cut(v, ":")
diff --git a/go/testdata/ipv6/nsx_ipv6.t b/go/testdata/ipv6/nsx_ipv6.t
index cc8423d6..4e7796c6 100644
--- a/go/testdata/ipv6/nsx_ipv6.t
+++ b/go/testdata/ipv6/nsx_ipv6.t
@@ -71,6 +71,770 @@ Error: Must define unmanaged router:r1
  for router:r1@v1
 =END=
 
+############################################################
+=TITLE=Only one IPv4 management_instance
+=TODO= No IPv6
+=PARAMS=--ipv6
+=INPUT=
+-- ipv6/z_sort_after_ipv6
+network:n1 = { ip = ::a01:100/120; }
+network:n2 = { ip = ::a01:200/120; }
+router:r1 = {
+ model = NSX;
+ management_instance;
+ interface:n1 = { ip = ::a01:101; }
+}
+router:r1@v1 = {
+ model = NSX, T0;
+ managed;
+ interface:n1 = { ip = ::a01:102; hardware = IN; }
+ interface:n2 = { ip = ::a01:201; hardware = OUT; }
+}
+service:s1 = {
+ user = network:n1;
+ permit src = user; dst = network:n2; prt = tcp 80;
+}
+-- ipv6/ipv6
+network:n1v6 = { ip = ::a01:100/120; }
+network:n2v6 = { ip = ::a01:200/120; }
+router:r1@v1 = {
+ model = NSX, T0;
+ managed;
+ interface:n1v6 = { ip = ::a01:102; hardware = IN; }
+ interface:n2v6 = { ip = ::a01:201; hardware = OUT; }
+}
+service:s1v6 = {
+ user = network:n1v6;
+ permit src = user; dst = network:n2v6; prt = tcp 80;
+}
+=OUTPUT=
+--ipv6/ipv6/r1
+#Generated by Netspoc, version devel
+--
+#
+--
+#[ BEGIN r1 ]
+--
+#[ Model = NSX ]
+--
+#[ IP = ::a01:101 ]
+--
+{
+ "groups": null,
+ "policies": [
+  {
+   "id": "Netspoc-v1",
+   "resource_type": "GatewayPolicy",
+   "rules": [
+    {
+     "action": "ALLOW",
+     "destination_groups": [
+      "::a01:200/120"
+     ],
+     "direction": "OUT",
+     "id": "v6r1",
+     "ip_protocol": "IPV6",
+     "profiles": [
+      "ANY"
+     ],
+     "resource_type": "Rule",
+     "scope": [
+      "/infra/tier-0s/v1"
+     ],
+     "sequence_number": 20,
+     "services": [
+      "/infra/services/Netspoc-tcp_80"
+     ],
+     "source_groups": [
+      "::a01:100/120"
+     ]
+    },
+    {
+     "action": "DROP",
+     "destination_groups": [
+      "ANY"
+     ],
+     "direction": "OUT",
+     "id": "v6r2",
+     "ip_protocol": "IPV6",
+     "profiles": [
+      "ANY"
+     ],
+     "resource_type": "Rule",
+     "scope": [
+      "/infra/tier-0s/v1"
+     ],
+     "sequence_number": 30,
+     "services": [
+      "ANY"
+     ],
+     "source_groups": [
+      "ANY"
+     ]
+    },
+    {
+     "action": "DROP",
+     "destination_groups": [
+      "ANY"
+     ],
+     "direction": "IN",
+     "id": "v6r3",
+     "ip_protocol": "IPV6",
+     "profiles": [
+      "ANY"
+     ],
+     "resource_type": "Rule",
+     "scope": [
+      "/infra/tier-0s/v1"
+     ],
+     "sequence_number": 30,
+     "services": [
+      "ANY"
+     ],
+     "source_groups": [
+      "ANY"
+     ]
+    }
+   ]
+  }
+ ],
+ "services": [
+  {
+   "id": "Netspoc-tcp_80",
+   "service_entries": [
+    {
+     "destination_ports": [
+      "80"
+     ],
+     "id": "id",
+     "l4_protocol": "TCP",
+     "resource_type": "L4PortSetServiceEntry",
+     "source_ports": []
+    }
+   ]
+  }
+ ]
+}
+--ipv6/r1
+#Generated by Netspoc, version devel
+--
+#
+--
+#[ BEGIN r1 ]
+--
+#[ Model = NSX ]
+--
+#[ IP = ::a01:101 ]
+--
+{
+ "groups": null,
+ "policies": [
+  {
+   "id": "Netspoc-v1",
+   "resource_type": "GatewayPolicy",
+   "rules": [
+    {
+     "action": "ALLOW",
+     "destination_groups": [
+      "::a01:200/120"
+     ],
+     "direction": "OUT",
+     "id": "v6r1",
+     "ip_protocol": "IPV6",
+     "profiles": [
+      "ANY"
+     ],
+     "resource_type": "Rule",
+     "scope": [
+      "/infra/tier-0s/v1"
+     ],
+     "sequence_number": 20,
+     "services": [
+      "/infra/services/Netspoc-tcp_80"
+     ],
+     "source_groups": [
+      "::a01:100/120"
+     ]
+    },
+    {
+     "action": "DROP",
+     "destination_groups": [
+      "ANY"
+     ],
+     "direction": "OUT",
+     "id": "v6r2",
+     "ip_protocol": "IPV6",
+     "profiles": [
+      "ANY"
+     ],
+     "resource_type": "Rule",
+     "scope": [
+      "/infra/tier-0s/v1"
+     ],
+     "sequence_number": 30,
+     "services": [
+      "ANY"
+     ],
+     "source_groups": [
+      "ANY"
+     ]
+    },
+    {
+     "action": "DROP",
+     "destination_groups": [
+      "ANY"
+     ],
+     "direction": "IN",
+     "id": "v6r3",
+     "ip_protocol": "IPV6",
+     "profiles": [
+      "ANY"
+     ],
+     "resource_type": "Rule",
+     "scope": [
+      "/infra/tier-0s/v1"
+     ],
+     "sequence_number": 30,
+     "services": [
+      "ANY"
+     ],
+     "source_groups": [
+      "ANY"
+     ]
+    }
+   ]
+  }
+ ],
+ "services": [
+  {
+   "id": "Netspoc-tcp_80",
+   "service_entries": [
+    {
+     "destination_ports": [
+      "80"
+     ],
+     "id": "id",
+     "l4_protocol": "TCP",
+     "resource_type": "L4PortSetServiceEntry",
+     "source_ports": []
+    }
+   ]
+  }
+ ]
+}
+=END=
+
+############################################################
+=TITLE=Only one IPv6 management_instance
+=TODO= No IPv6
+=PARAMS=--ipv6
+=INPUT=
+-- ipv6/z_sort_after_ipv6
+network:n1 = { ip = ::a01:100/120; }
+network:n2 = { ip = ::a01:200/120; }
+router:r1@v1 = {
+ model = NSX, T0;
+ managed;
+ interface:n1 = { ip = ::a01:102; hardware = IN; }
+ interface:n2 = { ip = ::a01:201; hardware = OUT; }
+}
+service:s1 = {
+ user = network:n1;
+ permit src = user; dst = network:n2; prt = tcp 80;
+}
+-- ipv6/ipv6
+network:n1v6 = { ip = ::a01:100/120; }
+network:n2v6 = { ip = ::a01:200/120; }
+router:r1 = {
+ model = NSX;
+ management_instance;
+ interface:n1v6 = { ip = ::a01:101; }
+}
+router:r1@v1 = {
+ model = NSX, T0;
+ managed;
+ interface:n1v6 = { ip = ::a01:102; hardware = IN; }
+ interface:n2v6 = { ip = ::a01:201; hardware = OUT; }
+}
+service:s1v6 = {
+ user = network:n1v6;
+ permit src = user; dst = network:n2v6; prt = tcp 80;
+}
+=OUTPUT=
+--ipv6/ipv6/r1
+#Generated by Netspoc, version devel
+--
+#
+--
+#[ BEGIN r1 ]
+--
+#[ Model = NSX ]
+--
+#[ IP = ::a01:101 ]
+--
+{
+ "groups": null,
+ "policies": [
+  {
+   "id": "Netspoc-v1",
+   "resource_type": "GatewayPolicy",
+   "rules": [
+    {
+     "action": "ALLOW",
+     "destination_groups": [
+      "::a01:200/120"
+     ],
+     "direction": "OUT",
+     "id": "v6r1",
+     "ip_protocol": "IPV6",
+     "profiles": [
+      "ANY"
+     ],
+     "resource_type": "Rule",
+     "scope": [
+      "/infra/tier-0s/v1"
+     ],
+     "sequence_number": 20,
+     "services": [
+      "/infra/services/Netspoc-tcp_80"
+     ],
+     "source_groups": [
+      "::a01:100/120"
+     ]
+    },
+    {
+     "action": "DROP",
+     "destination_groups": [
+      "ANY"
+     ],
+     "direction": "OUT",
+     "id": "v6r2",
+     "ip_protocol": "IPV6",
+     "profiles": [
+      "ANY"
+     ],
+     "resource_type": "Rule",
+     "scope": [
+      "/infra/tier-0s/v1"
+     ],
+     "sequence_number": 30,
+     "services": [
+      "ANY"
+     ],
+     "source_groups": [
+      "ANY"
+     ]
+    },
+    {
+     "action": "DROP",
+     "destination_groups": [
+      "ANY"
+     ],
+     "direction": "IN",
+     "id": "v6r3",
+     "ip_protocol": "IPV6",
+     "profiles": [
+      "ANY"
+     ],
+     "resource_type": "Rule",
+     "scope": [
+      "/infra/tier-0s/v1"
+     ],
+     "sequence_number": 30,
+     "services": [
+      "ANY"
+     ],
+     "source_groups": [
+      "ANY"
+     ]
+    }
+   ]
+  }
+ ],
+ "services": [
+  {
+   "id": "Netspoc-tcp_80",
+   "service_entries": [
+    {
+     "destination_ports": [
+      "80"
+     ],
+     "id": "id",
+     "l4_protocol": "TCP",
+     "resource_type": "L4PortSetServiceEntry",
+     "source_ports": []
+    }
+   ]
+  }
+ ]
+}
+--ipv6/r1
+#Generated by Netspoc, version devel
+--
+#
+--
+#[ BEGIN r1 ]
+--
+#[ Model = NSX ]
+--
+#[ IP = ::a01:101 ]
+--
+{
+ "groups": null,
+ "policies": [
+  {
+   "id": "Netspoc-v1",
+   "resource_type": "GatewayPolicy",
+   "rules": [
+    {
+     "action": "ALLOW",
+     "destination_groups": [
+      "::a01:200/120"
+     ],
+     "direction": "OUT",
+     "id": "v6r1",
+     "ip_protocol": "IPV6",
+     "profiles": [
+      "ANY"
+     ],
+     "resource_type": "Rule",
+     "scope": [
+      "/infra/tier-0s/v1"
+     ],
+     "sequence_number": 20,
+     "services": [
+      "/infra/services/Netspoc-tcp_80"
+     ],
+     "source_groups": [
+      "::a01:100/120"
+     ]
+    },
+    {
+     "action": "DROP",
+     "destination_groups": [
+      "ANY"
+     ],
+     "direction": "OUT",
+     "id": "v6r2",
+     "ip_protocol": "IPV6",
+     "profiles": [
+      "ANY"
+     ],
+     "resource_type": "Rule",
+     "scope": [
+      "/infra/tier-0s/v1"
+     ],
+     "sequence_number": 30,
+     "services": [
+      "ANY"
+     ],
+     "source_groups": [
+      "ANY"
+     ]
+    },
+    {
+     "action": "DROP",
+     "destination_groups": [
+      "ANY"
+     ],
+     "direction": "IN",
+     "id": "v6r3",
+     "ip_protocol": "IPV6",
+     "profiles": [
+      "ANY"
+     ],
+     "resource_type": "Rule",
+     "scope": [
+      "/infra/tier-0s/v1"
+     ],
+     "sequence_number": 30,
+     "services": [
+      "ANY"
+     ],
+     "source_groups": [
+      "ANY"
+     ]
+    }
+   ]
+  }
+ ],
+ "services": [
+  {
+   "id": "Netspoc-tcp_80",
+   "service_entries": [
+    {
+     "destination_ports": [
+      "80"
+     ],
+     "id": "id",
+     "l4_protocol": "TCP",
+     "resource_type": "L4PortSetServiceEntry",
+     "source_ports": []
+    }
+   ]
+  }
+ ]
+}
+=END=
+
+############################################################
+=TITLE=IPv4 and IPv6 management_instance
+=TODO= No IPv6
+=PARAMS=--ipv6
+=INPUT=
+-- ipv6/z_sort_after_ipv6
+network:n1 = { ip = ::a01:100/120; }
+network:n2 = { ip = ::a01:200/120; }
+router:r1 = {
+ model = NSX;
+ management_instance;
+ interface:n1 = { ip = ::a01:101; }
+}
+router:r1@v1 = {
+ model = NSX, T0;
+ managed;
+ interface:n1 = { ip = ::a01:102; hardware = IN; }
+ interface:n2 = { ip = ::a01:201; hardware = OUT; }
+}
+service:s1 = {
+ user = network:n1;
+ permit src = user; dst = network:n2; prt = tcp 80;
+}
+-- ipv6/ipv6
+network:n1v6 = { ip = ::a01:100/120; }
+network:n2v6 = { ip = ::a01:200/120; }
+router:r1 = {
+ model = NSX;
+ management_instance;
+ interface:n1v6 = { ip = ::a01:101; }
+}
+router:r1@v1 = {
+ model = NSX, T0;
+ managed;
+ interface:n1v6 = { ip = ::a01:102; hardware = IN; }
+ interface:n2v6 = { ip = ::a01:201; hardware = OUT; }
+}
+service:s1v6 = {
+ user = network:n1v6;
+ permit src = user; dst = network:n2v6; prt = tcp 80;
+}
+=OUTPUT=
+--ipv6/ipv6/r1
+#Generated by Netspoc, version devel
+--
+#
+--
+#[ BEGIN r1 ]
+--
+#[ Model = NSX ]
+--
+#[ IP = ::a01:101 ]
+--
+{
+ "groups": null,
+ "policies": [
+  {
+   "id": "Netspoc-v1",
+   "resource_type": "GatewayPolicy",
+   "rules": [
+    {
+     "action": "ALLOW",
+     "destination_groups": [
+      "::a01:200/120"
+     ],
+     "direction": "OUT",
+     "id": "v6r1",
+     "ip_protocol": "IPV6",
+     "profiles": [
+      "ANY"
+     ],
+     "resource_type": "Rule",
+     "scope": [
+      "/infra/tier-0s/v1"
+     ],
+     "sequence_number": 20,
+     "services": [
+      "/infra/services/Netspoc-tcp_80"
+     ],
+     "source_groups": [
+      "::a01:100/120"
+     ]
+    },
+    {
+     "action": "DROP",
+     "destination_groups": [
+      "ANY"
+     ],
+     "direction": "OUT",
+     "id": "v6r2",
+     "ip_protocol": "IPV6",
+     "profiles": [
+      "ANY"
+     ],
+     "resource_type": "Rule",
+     "scope": [
+      "/infra/tier-0s/v1"
+     ],
+     "sequence_number": 30,
+     "services": [
+      "ANY"
+     ],
+     "source_groups": [
+      "ANY"
+     ]
+    },
+    {
+     "action": "DROP",
+     "destination_groups": [
+      "ANY"
+     ],
+     "direction": "IN",
+     "id": "v6r3",
+     "ip_protocol": "IPV6",
+     "profiles": [
+      "ANY"
+     ],
+     "resource_type": "Rule",
+     "scope": [
+      "/infra/tier-0s/v1"
+     ],
+     "sequence_number": 30,
+     "services": [
+      "ANY"
+     ],
+     "source_groups": [
+      "ANY"
+     ]
+    }
+   ]
+  }
+ ],
+ "services": [
+  {
+   "id": "Netspoc-tcp_80",
+   "service_entries": [
+    {
+     "destination_ports": [
+      "80"
+     ],
+     "id": "id",
+     "l4_protocol": "TCP",
+     "resource_type": "L4PortSetServiceEntry",
+     "source_ports": []
+    }
+   ]
+  }
+ ]
+}
+--ipv6/r1
+#Generated by Netspoc, version devel
+--
+#
+--
+#[ BEGIN r1 ]
+--
+#[ Model = NSX ]
+--
+#[ IP = ::a01:101 ]
+--
+{
+ "groups": null,
+ "policies": [
+  {
+   "id": "Netspoc-v1",
+   "resource_type": "GatewayPolicy",
+   "rules": [
+    {
+     "action": "ALLOW",
+     "destination_groups": [
+      "::a01:200/120"
+     ],
+     "direction": "OUT",
+     "id": "v6r1",
+     "ip_protocol": "IPV6",
+     "profiles": [
+      "ANY"
+     ],
+     "resource_type": "Rule",
+     "scope": [
+      "/infra/tier-0s/v1"
+     ],
+     "sequence_number": 20,
+     "services": [
+      "/infra/services/Netspoc-tcp_80"
+     ],
+     "source_groups": [
+      "::a01:100/120"
+     ]
+    },
+    {
+     "action": "DROP",
+     "destination_groups": [
+      "ANY"
+     ],
+     "direction": "OUT",
+     "id": "v6r2",
+     "ip_protocol": "IPV6",
+     "profiles": [
+      "ANY"
+     ],
+     "resource_type": "Rule",
+     "scope": [
+      "/infra/tier-0s/v1"
+     ],
+     "sequence_number": 30,
+     "services": [
+      "ANY"
+     ],
+     "source_groups": [
+      "ANY"
+     ]
+    },
+    {
+     "action": "DROP",
+     "destination_groups": [
+      "ANY"
+     ],
+     "direction": "IN",
+     "id": "v6r3",
+     "ip_protocol": "IPV6",
+     "profiles": [
+      "ANY"
+     ],
+     "resource_type": "Rule",
+     "scope": [
+      "/infra/tier-0s/v1"
+     ],
+     "sequence_number": 30,
+     "services": [
+      "ANY"
+     ],
+     "source_groups": [
+      "ANY"
+     ]
+    }
+   ]
+  }
+ ],
+ "services": [
+  {
+   "id": "Netspoc-tcp_80",
+   "service_entries": [
+    {
+     "destination_ports": [
+      "80"
+     ],
+     "id": "id",
+     "l4_protocol": "TCP",
+     "resource_type": "L4PortSetServiceEntry",
+     "source_ports": []
+    }
+   ]
+  }
+ ]
+}
+=END=
+
 ############################################################
 =TITLE=management_instance has wrong model
 =PARAMS=--ipv6
diff --git a/go/testdata/ipv6/pan-os_ipv6.t b/go/testdata/ipv6/pan-os_ipv6.t
index 6ab17eeb..d379c386 100644
--- a/go/testdata/ipv6/pan-os_ipv6.t
+++ b/go/testdata/ipv6/pan-os_ipv6.t
@@ -299,6 +299,332 @@ Error: Must define unmanaged router:r2
  for router:r2@vsys2
 =END=
 
+############################################################
+=TITLE=Only one IPv4 management_instance
+=TODO= No IPv6
+=PARAMS=--ipv6
+=INPUT=
+-- ipv6/z_sort_after_ipv6
+network:n1 = { ip = ::a01:100/120; }
+network:n2 = { ip = ::a01:200/120; }
+router:r1 = {
+ model = PAN-OS;
+ management_instance;
+ interface:n1 = { ip = ::a01:101; }
+}
+router:r1@vsys1 = {
+ model = PAN-OS;
+ managed;
+ interface:n1 = { ip = ::a01:102; hardware = IN; }
+ interface:n2 = { ip = ::a01:201; hardware = OUT; }
+}
+service:s1 = {
+ user = network:n1;
+ permit src = user; dst = network:n2; prt = tcp 80;
+}
+-- ipv6/ipv6
+network:n1v6 = { ip = ::a01:100/120; }
+network:n2v6 = { ip = ::a01:200/120; }
+router:r1@vsys1 = {
+ model = PAN-OS;
+ managed;
+ interface:n1v6 = { ip = ::a01:102; hardware = IN; }
+ interface:n2v6 = { ip = ::a01:201; hardware = OUT; }
+}
+service:s1v6 = {
+ user = network:n1v6;
+ permit src = user; dst = network:n2v6; prt = tcp 80;
+}
+=OUTPUT=
+--ipv6/ipv6/r1
+<?xml version = "1.0" ?>
+<!--
+Generated by Netspoc, version devel
+--
+[ BEGIN r1 ]
+[ Model = PAN-OS ]
+[ IP = ::a01:101 ]
+-->
+<config><devices><entry><vsys>
+--
+<entry name="vsys1">
+<rulebase><security><rules>
+<entry name="v6r1">
+<action>allow</action>
+<from><member>IN</member></from>
+<to><member>OUT</member></to>
+<source><member>NET_::a01:100_120</member></source>
+<destination><member>NET_::a01:200_120</member></destination>
+<service><member>tcp 80</member></service>
+<application><member>any</member></application>
+<rule-type>interzone</rule-type>
+</entry>
+</rules></security></rulebase>
+<address-group>
+</address-group>
+<address>
+<entry name="NET_::a01:100_120"><ip-netmask>::a01:100/120</ip-netmask></entry>
+<entry name="NET_::a01:200_120"><ip-netmask>::a01:200/120</ip-netmask></entry>
+</address>
+<service>
+<entry name="tcp 80"><protocol><tcp><port>80</port></tcp></protocol></entry>
+</service>
+</entry>
+--ipv6/r1
+<?xml version = "1.0" ?>
+<!--
+Generated by Netspoc, version devel
+--
+[ BEGIN r1 ]
+[ Model = PAN-OS ]
+[ IP = ::a01:101 ]
+-->
+<config><devices><entry><vsys>
+--
+<entry name="vsys1">
+<rulebase><security><rules>
+<entry name="v6r1">
+<action>allow</action>
+<from><member>IN</member></from>
+<to><member>OUT</member></to>
+<source><member>NET_::a01:100_120</member></source>
+<destination><member>NET_::a01:200_120</member></destination>
+<service><member>tcp 80</member></service>
+<application><member>any</member></application>
+<rule-type>interzone</rule-type>
+</entry>
+</rules></security></rulebase>
+<address-group>
+</address-group>
+<address>
+<entry name="NET_::a01:100_120"><ip-netmask>::a01:100/120</ip-netmask></entry>
+<entry name="NET_::a01:200_120"><ip-netmask>::a01:200/120</ip-netmask></entry>
+</address>
+<service>
+<entry name="tcp 80"><protocol><tcp><port>80</port></tcp></protocol></entry>
+</service>
+</entry>
+=END=
+
+############################################################
+=TITLE=Only one IPv6 management_instance
+=TODO= No IPv6
+=PARAMS=--ipv6
+=INPUT=
+-- ipv6/z_sort_after_ipv6
+network:n1 = { ip = ::a01:100/120; }
+network:n2 = { ip = ::a01:200/120; }
+router:r1@vsys1 = {
+ model = PAN-OS;
+ managed;
+ interface:n1 = { ip = ::a01:102; hardware = IN; }
+ interface:n2 = { ip = ::a01:201; hardware = OUT; }
+}
+service:s1 = {
+ user = network:n1;
+ permit src = user; dst = network:n2; prt = tcp 80;
+}
+-- ipv6/ipv6
+network:n1v6 = { ip = ::a01:100/120; }
+network:n2v6 = { ip = ::a01:200/120; }
+router:r1 = {
+ model = PAN-OS;
+ management_instance;
+ interface:n1v6 = { ip = ::a01:101; }
+}
+router:r1@vsys1 = {
+ model = PAN-OS;
+ managed;
+ interface:n1v6 = { ip = ::a01:102; hardware = IN; }
+ interface:n2v6 = { ip = ::a01:201; hardware = OUT; }
+}
+service:s1v6 = {
+ user = network:n1v6;
+ permit src = user; dst = network:n2v6; prt = tcp 80;
+}
+=OUTPUT=
+--ipv6/ipv6/r1
+<?xml version = "1.0" ?>
+<!--
+Generated by Netspoc, version devel
+--
+[ BEGIN r1 ]
+[ Model = PAN-OS ]
+[ IP = ::a01:101 ]
+-->
+<config><devices><entry><vsys>
+--
+<entry name="vsys1">
+<rulebase><security><rules>
+<entry name="v6r1">
+<action>allow</action>
+<from><member>IN</member></from>
+<to><member>OUT</member></to>
+<source><member>NET_::a01:100_120</member></source>
+<destination><member>NET_::a01:200_120</member></destination>
+<service><member>tcp 80</member></service>
+<application><member>any</member></application>
+<rule-type>interzone</rule-type>
+</entry>
+</rules></security></rulebase>
+<address-group>
+</address-group>
+<address>
+<entry name="NET_::a01:100_120"><ip-netmask>::a01:100/120</ip-netmask></entry>
+<entry name="NET_::a01:200_120"><ip-netmask>::a01:200/120</ip-netmask></entry>
+</address>
+<service>
+<entry name="tcp 80"><protocol><tcp><port>80</port></tcp></protocol></entry>
+</service>
+</entry>
+--ipv6/r1
+<?xml version = "1.0" ?>
+<!--
+Generated by Netspoc, version devel
+--
+[ BEGIN r1 ]
+[ Model = PAN-OS ]
+[ IP = ::a01:101 ]
+-->
+<config><devices><entry><vsys>
+--
+<entry name="vsys1">
+<rulebase><security><rules>
+<entry name="v6r1">
+<action>allow</action>
+<from><member>IN</member></from>
+<to><member>OUT</member></to>
+<source><member>NET_::a01:100_120</member></source>
+<destination><member>NET_::a01:200_120</member></destination>
+<service><member>tcp 80</member></service>
+<application><member>any</member></application>
+<rule-type>interzone</rule-type>
+</entry>
+</rules></security></rulebase>
+<address-group>
+</address-group>
+<address>
+<entry name="NET_::a01:100_120"><ip-netmask>::a01:100/120</ip-netmask></entry>
+<entry name="NET_::a01:200_120"><ip-netmask>::a01:200/120</ip-netmask></entry>
+</address>
+<service>
+<entry name="tcp 80"><protocol><tcp><port>80</port></tcp></protocol></entry>
+</service>
+</entry>
+=END=
+
+############################################################
+=TITLE=IPv4 and IPv6 management_instance
+=TODO= No IPv6
+=PARAMS=--ipv6
+=INPUT=
+-- ipv6/z_sort_after_ipv6
+network:n1 = { ip = ::a01:100/120; }
+network:n2 = { ip = ::a01:200/120; }
+router:r1 = {
+ model = PAN-OS;
+ management_instance;
+ interface:n1 = { ip = ::a01:101; }
+}
+router:r1@vsys1 = {
+ model = PAN-OS;
+ managed;
+ interface:n1 = { ip = ::a01:102; hardware = IN; }
+ interface:n2 = { ip = ::a01:201; hardware = OUT; }
+}
+service:s1 = {
+ user = network:n1;
+ permit src = user; dst = network:n2; prt = tcp 80;
+}
+-- ipv6/ipv6
+network:n1v6 = { ip = ::a01:100/120; }
+network:n2v6 = { ip = ::a01:200/120; }
+router:r1 = {
+ model = PAN-OS;
+ management_instance;
+ interface:n1v6 = { ip = ::a01:101; }
+}
+router:r1@vsys1 = {
+ model = PAN-OS;
+ managed;
+ interface:n1v6 = { ip = ::a01:102; hardware = IN; }
+ interface:n2v6 = { ip = ::a01:201; hardware = OUT; }
+}
+service:s1v6 = {
+ user = network:n1v6;
+ permit src = user; dst = network:n2v6; prt = tcp 80;
+}
+=OUTPUT=
+--ipv6/ipv6/r1
+<?xml version = "1.0" ?>
+<!--
+Generated by Netspoc, version devel
+--
+[ BEGIN r1 ]
+[ Model = PAN-OS ]
+[ IP = ::a01:101 ]
+-->
+<config><devices><entry><vsys>
+--
+<entry name="vsys1">
+<rulebase><security><rules>
+<entry name="v6r1">
+<action>allow</action>
+<from><member>IN</member></from>
+<to><member>OUT</member></to>
+<source><member>NET_::a01:100_120</member></source>
+<destination><member>NET_::a01:200_120</member></destination>
+<service><member>tcp 80</member></service>
+<application><member>any</member></application>
+<rule-type>interzone</rule-type>
+</entry>
+</rules></security></rulebase>
+<address-group>
+</address-group>
+<address>
+<entry name="NET_::a01:100_120"><ip-netmask>::a01:100/120</ip-netmask></entry>
+<entry name="NET_::a01:200_120"><ip-netmask>::a01:200/120</ip-netmask></entry>
+</address>
+<service>
+<entry name="tcp 80"><protocol><tcp><port>80</port></tcp></protocol></entry>
+</service>
+</entry>
+--ipv6/r1
+<?xml version = "1.0" ?>
+<!--
+Generated by Netspoc, version devel
+--
+[ BEGIN r1 ]
+[ Model = PAN-OS ]
+[ IP = ::a01:101 ]
+-->
+<config><devices><entry><vsys>
+--
+<entry name="vsys1">
+<rulebase><security><rules>
+<entry name="v6r1">
+<action>allow</action>
+<from><member>IN</member></from>
+<to><member>OUT</member></to>
+<source><member>NET_::a01:100_120</member></source>
+<destination><member>NET_::a01:200_120</member></destination>
+<service><member>tcp 80</member></service>
+<application><member>any</member></application>
+<rule-type>interzone</rule-type>
+</entry>
+</rules></security></rulebase>
+<address-group>
+</address-group>
+<address>
+<entry name="NET_::a01:100_120"><ip-netmask>::a01:100/120</ip-netmask></entry>
+<entry name="NET_::a01:200_120"><ip-netmask>::a01:200/120</ip-netmask></entry>
+</address>
+<service>
+<entry name="tcp 80"><protocol><tcp><port>80</port></tcp></protocol></entry>
+</service>
+</entry>
+=END=
+
 ############################################################
 =TITLE=Missing policy_distribution_point at management_instance
 =PARAMS=--ipv6
diff --git a/go/testdata/nsx.t b/go/testdata/nsx.t
index 08447ad1..5f6cb8d7 100644
--- a/go/testdata/nsx.t
+++ b/go/testdata/nsx.t
@@ -67,6 +67,767 @@ Error: Must define unmanaged router:r1
  for router:r1@v1
 =END=
 
+############################################################
+=TITLE=Only one IPv4 management_instance
+# No IPv6
+=INPUT=
+-- z_sort_after_ipv6
+network:n1 = { ip = 10.1.1.0/24; }
+network:n2 = { ip = 10.1.2.0/24; }
+router:r1 = {
+ model = NSX;
+ management_instance;
+ interface:n1 = { ip = 10.1.1.1; }
+}
+router:r1@v1 = {
+ model = NSX, T0;
+ managed;
+ interface:n1 = { ip = 10.1.1.2; hardware = IN; }
+ interface:n2 = { ip = 10.1.2.1; hardware = OUT; }
+}
+service:s1 = {
+ user = network:n1;
+ permit src = user; dst = network:n2; prt = tcp 80;
+}
+-- ipv6
+network:n1v6 = { ip = ::a01:100/120; }
+network:n2v6 = { ip = ::a01:200/120; }
+router:r1@v1 = {
+ model = NSX, T0;
+ managed;
+ interface:n1v6 = { ip = ::a01:102; hardware = IN; }
+ interface:n2v6 = { ip = ::a01:201; hardware = OUT; }
+}
+service:s1v6 = {
+ user = network:n1v6;
+ permit src = user; dst = network:n2v6; prt = tcp 80;
+}
+=OUTPUT=
+--ipv6/r1
+#Generated by Netspoc, version devel
+--
+#
+--
+#[ BEGIN r1 ]
+--
+#[ Model = NSX ]
+--
+#[ IP = 10.1.1.1 ]
+--
+{
+ "groups": null,
+ "policies": [
+  {
+   "id": "Netspoc-v1",
+   "resource_type": "GatewayPolicy",
+   "rules": [
+    {
+     "action": "ALLOW",
+     "destination_groups": [
+      "::a01:200/120"
+     ],
+     "direction": "OUT",
+     "id": "v6r1",
+     "ip_protocol": "IPV6",
+     "profiles": [
+      "ANY"
+     ],
+     "resource_type": "Rule",
+     "scope": [
+      "/infra/tier-0s/v1"
+     ],
+     "sequence_number": 20,
+     "services": [
+      "/infra/services/Netspoc-tcp_80"
+     ],
+     "source_groups": [
+      "::a01:100/120"
+     ]
+    },
+    {
+     "action": "DROP",
+     "destination_groups": [
+      "ANY"
+     ],
+     "direction": "OUT",
+     "id": "v6r2",
+     "ip_protocol": "IPV6",
+     "profiles": [
+      "ANY"
+     ],
+     "resource_type": "Rule",
+     "scope": [
+      "/infra/tier-0s/v1"
+     ],
+     "sequence_number": 30,
+     "services": [
+      "ANY"
+     ],
+     "source_groups": [
+      "ANY"
+     ]
+    },
+    {
+     "action": "DROP",
+     "destination_groups": [
+      "ANY"
+     ],
+     "direction": "IN",
+     "id": "v6r3",
+     "ip_protocol": "IPV6",
+     "profiles": [
+      "ANY"
+     ],
+     "resource_type": "Rule",
+     "scope": [
+      "/infra/tier-0s/v1"
+     ],
+     "sequence_number": 30,
+     "services": [
+      "ANY"
+     ],
+     "source_groups": [
+      "ANY"
+     ]
+    }
+   ]
+  }
+ ],
+ "services": [
+  {
+   "id": "Netspoc-tcp_80",
+   "service_entries": [
+    {
+     "destination_ports": [
+      "80"
+     ],
+     "id": "id",
+     "l4_protocol": "TCP",
+     "resource_type": "L4PortSetServiceEntry",
+     "source_ports": []
+    }
+   ]
+  }
+ ]
+}
+--r1
+#Generated by Netspoc, version devel
+--
+#
+--
+#[ BEGIN r1 ]
+--
+#[ Model = NSX ]
+--
+#[ IP = 10.1.1.1 ]
+--
+{
+ "groups": null,
+ "policies": [
+  {
+   "id": "Netspoc-v1",
+   "resource_type": "GatewayPolicy",
+   "rules": [
+    {
+     "action": "ALLOW",
+     "destination_groups": [
+      "10.1.2.0/24"
+     ],
+     "direction": "OUT",
+     "id": "r1",
+     "ip_protocol": "IPV4",
+     "profiles": [
+      "ANY"
+     ],
+     "resource_type": "Rule",
+     "scope": [
+      "/infra/tier-0s/v1"
+     ],
+     "sequence_number": 20,
+     "services": [
+      "/infra/services/Netspoc-tcp_80"
+     ],
+     "source_groups": [
+      "10.1.1.0/24"
+     ]
+    },
+    {
+     "action": "DROP",
+     "destination_groups": [
+      "ANY"
+     ],
+     "direction": "OUT",
+     "id": "r2",
+     "ip_protocol": "IPV4",
+     "profiles": [
+      "ANY"
+     ],
+     "resource_type": "Rule",
+     "scope": [
+      "/infra/tier-0s/v1"
+     ],
+     "sequence_number": 30,
+     "services": [
+      "ANY"
+     ],
+     "source_groups": [
+      "ANY"
+     ]
+    },
+    {
+     "action": "DROP",
+     "destination_groups": [
+      "ANY"
+     ],
+     "direction": "IN",
+     "id": "r3",
+     "ip_protocol": "IPV4",
+     "profiles": [
+      "ANY"
+     ],
+     "resource_type": "Rule",
+     "scope": [
+      "/infra/tier-0s/v1"
+     ],
+     "sequence_number": 30,
+     "services": [
+      "ANY"
+     ],
+     "source_groups": [
+      "ANY"
+     ]
+    }
+   ]
+  }
+ ],
+ "services": [
+  {
+   "id": "Netspoc-tcp_80",
+   "service_entries": [
+    {
+     "destination_ports": [
+      "80"
+     ],
+     "id": "id",
+     "l4_protocol": "TCP",
+     "resource_type": "L4PortSetServiceEntry",
+     "source_ports": []
+    }
+   ]
+  }
+ ]
+}
+=END=
+
+############################################################
+=TITLE=Only one IPv6 management_instance
+# No IPv6
+=INPUT=
+-- z_sort_after_ipv6
+network:n1 = { ip = 10.1.1.0/24; }
+network:n2 = { ip = 10.1.2.0/24; }
+router:r1@v1 = {
+ model = NSX, T0;
+ managed;
+ interface:n1 = { ip = 10.1.1.2; hardware = IN; }
+ interface:n2 = { ip = 10.1.2.1; hardware = OUT; }
+}
+service:s1 = {
+ user = network:n1;
+ permit src = user; dst = network:n2; prt = tcp 80;
+}
+-- ipv6
+network:n1v6 = { ip = ::a01:100/120; }
+network:n2v6 = { ip = ::a01:200/120; }
+router:r1 = {
+ model = NSX;
+ management_instance;
+ interface:n1v6 = { ip = ::a01:101; }
+}
+router:r1@v1 = {
+ model = NSX, T0;
+ managed;
+ interface:n1v6 = { ip = ::a01:102; hardware = IN; }
+ interface:n2v6 = { ip = ::a01:201; hardware = OUT; }
+}
+service:s1v6 = {
+ user = network:n1v6;
+ permit src = user; dst = network:n2v6; prt = tcp 80;
+}
+=OUTPUT=
+--ipv6/r1
+#Generated by Netspoc, version devel
+--
+#
+--
+#[ BEGIN r1 ]
+--
+#[ Model = NSX ]
+--
+#[ IP = ::a01:101 ]
+--
+{
+ "groups": null,
+ "policies": [
+  {
+   "id": "Netspoc-v1",
+   "resource_type": "GatewayPolicy",
+   "rules": [
+    {
+     "action": "ALLOW",
+     "destination_groups": [
+      "::a01:200/120"
+     ],
+     "direction": "OUT",
+     "id": "v6r1",
+     "ip_protocol": "IPV6",
+     "profiles": [
+      "ANY"
+     ],
+     "resource_type": "Rule",
+     "scope": [
+      "/infra/tier-0s/v1"
+     ],
+     "sequence_number": 20,
+     "services": [
+      "/infra/services/Netspoc-tcp_80"
+     ],
+     "source_groups": [
+      "::a01:100/120"
+     ]
+    },
+    {
+     "action": "DROP",
+     "destination_groups": [
+      "ANY"
+     ],
+     "direction": "OUT",
+     "id": "v6r2",
+     "ip_protocol": "IPV6",
+     "profiles": [
+      "ANY"
+     ],
+     "resource_type": "Rule",
+     "scope": [
+      "/infra/tier-0s/v1"
+     ],
+     "sequence_number": 30,
+     "services": [
+      "ANY"
+     ],
+     "source_groups": [
+      "ANY"
+     ]
+    },
+    {
+     "action": "DROP",
+     "destination_groups": [
+      "ANY"
+     ],
+     "direction": "IN",
+     "id": "v6r3",
+     "ip_protocol": "IPV6",
+     "profiles": [
+      "ANY"
+     ],
+     "resource_type": "Rule",
+     "scope": [
+      "/infra/tier-0s/v1"
+     ],
+     "sequence_number": 30,
+     "services": [
+      "ANY"
+     ],
+     "source_groups": [
+      "ANY"
+     ]
+    }
+   ]
+  }
+ ],
+ "services": [
+  {
+   "id": "Netspoc-tcp_80",
+   "service_entries": [
+    {
+     "destination_ports": [
+      "80"
+     ],
+     "id": "id",
+     "l4_protocol": "TCP",
+     "resource_type": "L4PortSetServiceEntry",
+     "source_ports": []
+    }
+   ]
+  }
+ ]
+}
+--r1
+#Generated by Netspoc, version devel
+--
+#
+--
+#[ BEGIN r1 ]
+--
+#[ Model = NSX ]
+--
+#[ IP = ::a01:101 ]
+--
+{
+ "groups": null,
+ "policies": [
+  {
+   "id": "Netspoc-v1",
+   "resource_type": "GatewayPolicy",
+   "rules": [
+    {
+     "action": "ALLOW",
+     "destination_groups": [
+      "10.1.2.0/24"
+     ],
+     "direction": "OUT",
+     "id": "r1",
+     "ip_protocol": "IPV4",
+     "profiles": [
+      "ANY"
+     ],
+     "resource_type": "Rule",
+     "scope": [
+      "/infra/tier-0s/v1"
+     ],
+     "sequence_number": 20,
+     "services": [
+      "/infra/services/Netspoc-tcp_80"
+     ],
+     "source_groups": [
+      "10.1.1.0/24"
+     ]
+    },
+    {
+     "action": "DROP",
+     "destination_groups": [
+      "ANY"
+     ],
+     "direction": "OUT",
+     "id": "r2",
+     "ip_protocol": "IPV4",
+     "profiles": [
+      "ANY"
+     ],
+     "resource_type": "Rule",
+     "scope": [
+      "/infra/tier-0s/v1"
+     ],
+     "sequence_number": 30,
+     "services": [
+      "ANY"
+     ],
+     "source_groups": [
+      "ANY"
+     ]
+    },
+    {
+     "action": "DROP",
+     "destination_groups": [
+      "ANY"
+     ],
+     "direction": "IN",
+     "id": "r3",
+     "ip_protocol": "IPV4",
+     "profiles": [
+      "ANY"
+     ],
+     "resource_type": "Rule",
+     "scope": [
+      "/infra/tier-0s/v1"
+     ],
+     "sequence_number": 30,
+     "services": [
+      "ANY"
+     ],
+     "source_groups": [
+      "ANY"
+     ]
+    }
+   ]
+  }
+ ],
+ "services": [
+  {
+   "id": "Netspoc-tcp_80",
+   "service_entries": [
+    {
+     "destination_ports": [
+      "80"
+     ],
+     "id": "id",
+     "l4_protocol": "TCP",
+     "resource_type": "L4PortSetServiceEntry",
+     "source_ports": []
+    }
+   ]
+  }
+ ]
+}
+=END=
+
+############################################################
+=TITLE=IPv4 and IPv6 management_instance
+# No IPv6
+=INPUT=
+-- z_sort_after_ipv6
+network:n1 = { ip = 10.1.1.0/24; }
+network:n2 = { ip = 10.1.2.0/24; }
+router:r1 = {
+ model = NSX;
+ management_instance;
+ interface:n1 = { ip = 10.1.1.1; }
+}
+router:r1@v1 = {
+ model = NSX, T0;
+ managed;
+ interface:n1 = { ip = 10.1.1.2; hardware = IN; }
+ interface:n2 = { ip = 10.1.2.1; hardware = OUT; }
+}
+service:s1 = {
+ user = network:n1;
+ permit src = user; dst = network:n2; prt = tcp 80;
+}
+-- ipv6
+network:n1v6 = { ip = ::a01:100/120; }
+network:n2v6 = { ip = ::a01:200/120; }
+router:r1 = {
+ model = NSX;
+ management_instance;
+ interface:n1v6 = { ip = ::a01:101; }
+}
+router:r1@v1 = {
+ model = NSX, T0;
+ managed;
+ interface:n1v6 = { ip = ::a01:102; hardware = IN; }
+ interface:n2v6 = { ip = ::a01:201; hardware = OUT; }
+}
+service:s1v6 = {
+ user = network:n1v6;
+ permit src = user; dst = network:n2v6; prt = tcp 80;
+}
+=OUTPUT=
+--ipv6/r1
+#Generated by Netspoc, version devel
+--
+#
+--
+#[ BEGIN r1 ]
+--
+#[ Model = NSX ]
+--
+#[ IP = 10.1.1.1 ]
+--
+{
+ "groups": null,
+ "policies": [
+  {
+   "id": "Netspoc-v1",
+   "resource_type": "GatewayPolicy",
+   "rules": [
+    {
+     "action": "ALLOW",
+     "destination_groups": [
+      "::a01:200/120"
+     ],
+     "direction": "OUT",
+     "id": "v6r1",
+     "ip_protocol": "IPV6",
+     "profiles": [
+      "ANY"
+     ],
+     "resource_type": "Rule",
+     "scope": [
+      "/infra/tier-0s/v1"
+     ],
+     "sequence_number": 20,
+     "services": [
+      "/infra/services/Netspoc-tcp_80"
+     ],
+     "source_groups": [
+      "::a01:100/120"
+     ]
+    },
+    {
+     "action": "DROP",
+     "destination_groups": [
+      "ANY"
+     ],
+     "direction": "OUT",
+     "id": "v6r2",
+     "ip_protocol": "IPV6",
+     "profiles": [
+      "ANY"
+     ],
+     "resource_type": "Rule",
+     "scope": [
+      "/infra/tier-0s/v1"
+     ],
+     "sequence_number": 30,
+     "services": [
+      "ANY"
+     ],
+     "source_groups": [
+      "ANY"
+     ]
+    },
+    {
+     "action": "DROP",
+     "destination_groups": [
+      "ANY"
+     ],
+     "direction": "IN",
+     "id": "v6r3",
+     "ip_protocol": "IPV6",
+     "profiles": [
+      "ANY"
+     ],
+     "resource_type": "Rule",
+     "scope": [
+      "/infra/tier-0s/v1"
+     ],
+     "sequence_number": 30,
+     "services": [
+      "ANY"
+     ],
+     "source_groups": [
+      "ANY"
+     ]
+    }
+   ]
+  }
+ ],
+ "services": [
+  {
+   "id": "Netspoc-tcp_80",
+   "service_entries": [
+    {
+     "destination_ports": [
+      "80"
+     ],
+     "id": "id",
+     "l4_protocol": "TCP",
+     "resource_type": "L4PortSetServiceEntry",
+     "source_ports": []
+    }
+   ]
+  }
+ ]
+}
+--r1
+#Generated by Netspoc, version devel
+--
+#
+--
+#[ BEGIN r1 ]
+--
+#[ Model = NSX ]
+--
+#[ IP = 10.1.1.1 ]
+--
+{
+ "groups": null,
+ "policies": [
+  {
+   "id": "Netspoc-v1",
+   "resource_type": "GatewayPolicy",
+   "rules": [
+    {
+     "action": "ALLOW",
+     "destination_groups": [
+      "10.1.2.0/24"
+     ],
+     "direction": "OUT",
+     "id": "r1",
+     "ip_protocol": "IPV4",
+     "profiles": [
+      "ANY"
+     ],
+     "resource_type": "Rule",
+     "scope": [
+      "/infra/tier-0s/v1"
+     ],
+     "sequence_number": 20,
+     "services": [
+      "/infra/services/Netspoc-tcp_80"
+     ],
+     "source_groups": [
+      "10.1.1.0/24"
+     ]
+    },
+    {
+     "action": "DROP",
+     "destination_groups": [
+      "ANY"
+     ],
+     "direction": "OUT",
+     "id": "r2",
+     "ip_protocol": "IPV4",
+     "profiles": [
+      "ANY"
+     ],
+     "resource_type": "Rule",
+     "scope": [
+      "/infra/tier-0s/v1"
+     ],
+     "sequence_number": 30,
+     "services": [
+      "ANY"
+     ],
+     "source_groups": [
+      "ANY"
+     ]
+    },
+    {
+     "action": "DROP",
+     "destination_groups": [
+      "ANY"
+     ],
+     "direction": "IN",
+     "id": "r3",
+     "ip_protocol": "IPV4",
+     "profiles": [
+      "ANY"
+     ],
+     "resource_type": "Rule",
+     "scope": [
+      "/infra/tier-0s/v1"
+     ],
+     "sequence_number": 30,
+     "services": [
+      "ANY"
+     ],
+     "source_groups": [
+      "ANY"
+     ]
+    }
+   ]
+  }
+ ],
+ "services": [
+  {
+   "id": "Netspoc-tcp_80",
+   "service_entries": [
+    {
+     "destination_ports": [
+      "80"
+     ],
+     "id": "id",
+     "l4_protocol": "TCP",
+     "resource_type": "L4PortSetServiceEntry",
+     "source_ports": []
+    }
+   ]
+  }
+ ]
+}
+=END=
+
 ############################################################
 =TITLE=management_instance has wrong model
 =INPUT=
diff --git a/go/testdata/pan-os.t b/go/testdata/pan-os.t
index 0b8d6301..2bea4439 100644
--- a/go/testdata/pan-os.t
+++ b/go/testdata/pan-os.t
@@ -282,6 +282,329 @@ Error: Must define unmanaged router:r2
  for router:r2@vsys2
 =END=
 
+############################################################
+=TITLE=Only one IPv4 management_instance
+# No IPv6
+=INPUT=
+-- z_sort_after_ipv6
+network:n1 = { ip = 10.1.1.0/24; }
+network:n2 = { ip = 10.1.2.0/24; }
+router:r1 = {
+ model = PAN-OS;
+ management_instance;
+ interface:n1 = { ip = 10.1.1.1; }
+}
+router:r1@vsys1 = {
+ model = PAN-OS;
+ managed;
+ interface:n1 = { ip = 10.1.1.2; hardware = IN; }
+ interface:n2 = { ip = 10.1.2.1; hardware = OUT; }
+}
+service:s1 = {
+ user = network:n1;
+ permit src = user; dst = network:n2; prt = tcp 80;
+}
+-- ipv6
+network:n1v6 = { ip = ::a01:100/120; }
+network:n2v6 = { ip = ::a01:200/120; }
+router:r1@vsys1 = {
+ model = PAN-OS;
+ managed;
+ interface:n1v6 = { ip = ::a01:102; hardware = IN; }
+ interface:n2v6 = { ip = ::a01:201; hardware = OUT; }
+}
+service:s1v6 = {
+ user = network:n1v6;
+ permit src = user; dst = network:n2v6; prt = tcp 80;
+}
+=OUTPUT=
+--ipv6/r1
+<?xml version = "1.0" ?>
+<!--
+Generated by Netspoc, version devel
+--
+[ BEGIN r1 ]
+[ Model = PAN-OS ]
+[ IP = 10.1.1.1 ]
+-->
+<config><devices><entry><vsys>
+--
+<entry name="vsys1">
+<rulebase><security><rules>
+<entry name="v6r1">
+<action>allow</action>
+<from><member>IN</member></from>
+<to><member>OUT</member></to>
+<source><member>NET_::a01:100_120</member></source>
+<destination><member>NET_::a01:200_120</member></destination>
+<service><member>tcp 80</member></service>
+<application><member>any</member></application>
+<rule-type>interzone</rule-type>
+</entry>
+</rules></security></rulebase>
+<address-group>
+</address-group>
+<address>
+<entry name="NET_::a01:100_120"><ip-netmask>::a01:100/120</ip-netmask></entry>
+<entry name="NET_::a01:200_120"><ip-netmask>::a01:200/120</ip-netmask></entry>
+</address>
+<service>
+<entry name="tcp 80"><protocol><tcp><port>80</port></tcp></protocol></entry>
+</service>
+</entry>
+--r1
+<?xml version = "1.0" ?>
+<!--
+Generated by Netspoc, version devel
+--
+[ BEGIN r1 ]
+[ Model = PAN-OS ]
+[ IP = 10.1.1.1 ]
+-->
+<config><devices><entry><vsys>
+--
+<entry name="vsys1">
+<rulebase><security><rules>
+<entry name="r1">
+<action>allow</action>
+<from><member>IN</member></from>
+<to><member>OUT</member></to>
+<source><member>NET_10.1.1.0_24</member></source>
+<destination><member>NET_10.1.2.0_24</member></destination>
+<service><member>tcp 80</member></service>
+<application><member>any</member></application>
+<rule-type>interzone</rule-type>
+</entry>
+</rules></security></rulebase>
+<address-group>
+</address-group>
+<address>
+<entry name="NET_10.1.1.0_24"><ip-netmask>10.1.1.0/24</ip-netmask></entry>
+<entry name="NET_10.1.2.0_24"><ip-netmask>10.1.2.0/24</ip-netmask></entry>
+</address>
+<service>
+<entry name="tcp 80"><protocol><tcp><port>80</port></tcp></protocol></entry>
+</service>
+</entry>
+=END=
+
+############################################################
+=TITLE=Only one IPv6 management_instance
+# No IPv6
+=INPUT=
+-- z_sort_after_ipv6
+network:n1 = { ip = 10.1.1.0/24; }
+network:n2 = { ip = 10.1.2.0/24; }
+router:r1@vsys1 = {
+ model = PAN-OS;
+ managed;
+ interface:n1 = { ip = 10.1.1.2; hardware = IN; }
+ interface:n2 = { ip = 10.1.2.1; hardware = OUT; }
+}
+service:s1 = {
+ user = network:n1;
+ permit src = user; dst = network:n2; prt = tcp 80;
+}
+-- ipv6
+network:n1v6 = { ip = ::a01:100/120; }
+network:n2v6 = { ip = ::a01:200/120; }
+router:r1 = {
+ model = PAN-OS;
+ management_instance;
+ interface:n1v6 = { ip = ::a01:101; }
+}
+router:r1@vsys1 = {
+ model = PAN-OS;
+ managed;
+ interface:n1v6 = { ip = ::a01:102; hardware = IN; }
+ interface:n2v6 = { ip = ::a01:201; hardware = OUT; }
+}
+service:s1v6 = {
+ user = network:n1v6;
+ permit src = user; dst = network:n2v6; prt = tcp 80;
+}
+=OUTPUT=
+--ipv6/r1
+<?xml version = "1.0" ?>
+<!--
+Generated by Netspoc, version devel
+--
+[ BEGIN r1 ]
+[ Model = PAN-OS ]
+[ IP = ::a01:101 ]
+-->
+<config><devices><entry><vsys>
+--
+<entry name="vsys1">
+<rulebase><security><rules>
+<entry name="v6r1">
+<action>allow</action>
+<from><member>IN</member></from>
+<to><member>OUT</member></to>
+<source><member>NET_::a01:100_120</member></source>
+<destination><member>NET_::a01:200_120</member></destination>
+<service><member>tcp 80</member></service>
+<application><member>any</member></application>
+<rule-type>interzone</rule-type>
+</entry>
+</rules></security></rulebase>
+<address-group>
+</address-group>
+<address>
+<entry name="NET_::a01:100_120"><ip-netmask>::a01:100/120</ip-netmask></entry>
+<entry name="NET_::a01:200_120"><ip-netmask>::a01:200/120</ip-netmask></entry>
+</address>
+<service>
+<entry name="tcp 80"><protocol><tcp><port>80</port></tcp></protocol></entry>
+</service>
+</entry>
+--r1
+<?xml version = "1.0" ?>
+<!--
+Generated by Netspoc, version devel
+--
+[ BEGIN r1 ]
+[ Model = PAN-OS ]
+[ IP = ::a01:101 ]
+-->
+<config><devices><entry><vsys>
+--
+<entry name="vsys1">
+<rulebase><security><rules>
+<entry name="r1">
+<action>allow</action>
+<from><member>IN</member></from>
+<to><member>OUT</member></to>
+<source><member>NET_10.1.1.0_24</member></source>
+<destination><member>NET_10.1.2.0_24</member></destination>
+<service><member>tcp 80</member></service>
+<application><member>any</member></application>
+<rule-type>interzone</rule-type>
+</entry>
+</rules></security></rulebase>
+<address-group>
+</address-group>
+<address>
+<entry name="NET_10.1.1.0_24"><ip-netmask>10.1.1.0/24</ip-netmask></entry>
+<entry name="NET_10.1.2.0_24"><ip-netmask>10.1.2.0/24</ip-netmask></entry>
+</address>
+<service>
+<entry name="tcp 80"><protocol><tcp><port>80</port></tcp></protocol></entry>
+</service>
+</entry>
+=END=
+
+############################################################
+=TITLE=IPv4 and IPv6 management_instance
+# No IPv6
+=INPUT=
+-- z_sort_after_ipv6
+network:n1 = { ip = 10.1.1.0/24; }
+network:n2 = { ip = 10.1.2.0/24; }
+router:r1 = {
+ model = PAN-OS;
+ management_instance;
+ interface:n1 = { ip = 10.1.1.1; }
+}
+router:r1@vsys1 = {
+ model = PAN-OS;
+ managed;
+ interface:n1 = { ip = 10.1.1.2; hardware = IN; }
+ interface:n2 = { ip = 10.1.2.1; hardware = OUT; }
+}
+service:s1 = {
+ user = network:n1;
+ permit src = user; dst = network:n2; prt = tcp 80;
+}
+-- ipv6
+network:n1v6 = { ip = ::a01:100/120; }
+network:n2v6 = { ip = ::a01:200/120; }
+router:r1 = {
+ model = PAN-OS;
+ management_instance;
+ interface:n1v6 = { ip = ::a01:101; }
+}
+router:r1@vsys1 = {
+ model = PAN-OS;
+ managed;
+ interface:n1v6 = { ip = ::a01:102; hardware = IN; }
+ interface:n2v6 = { ip = ::a01:201; hardware = OUT; }
+}
+service:s1v6 = {
+ user = network:n1v6;
+ permit src = user; dst = network:n2v6; prt = tcp 80;
+}
+=OUTPUT=
+--ipv6/r1
+<?xml version = "1.0" ?>
+<!--
+Generated by Netspoc, version devel
+--
+[ BEGIN r1 ]
+[ Model = PAN-OS ]
+[ IP = 10.1.1.1 ]
+-->
+<config><devices><entry><vsys>
+--
+<entry name="vsys1">
+<rulebase><security><rules>
+<entry name="v6r1">
+<action>allow</action>
+<from><member>IN</member></from>
+<to><member>OUT</member></to>
+<source><member>NET_::a01:100_120</member></source>
+<destination><member>NET_::a01:200_120</member></destination>
+<service><member>tcp 80</member></service>
+<application><member>any</member></application>
+<rule-type>interzone</rule-type>
+</entry>
+</rules></security></rulebase>
+<address-group>
+</address-group>
+<address>
+<entry name="NET_::a01:100_120"><ip-netmask>::a01:100/120</ip-netmask></entry>
+<entry name="NET_::a01:200_120"><ip-netmask>::a01:200/120</ip-netmask></entry>
+</address>
+<service>
+<entry name="tcp 80"><protocol><tcp><port>80</port></tcp></protocol></entry>
+</service>
+</entry>
+--r1
+<?xml version = "1.0" ?>
+<!--
+Generated by Netspoc, version devel
+--
+[ BEGIN r1 ]
+[ Model = PAN-OS ]
+[ IP = 10.1.1.1 ]
+-->
+<config><devices><entry><vsys>
+--
+<entry name="vsys1">
+<rulebase><security><rules>
+<entry name="r1">
+<action>allow</action>
+<from><member>IN</member></from>
+<to><member>OUT</member></to>
+<source><member>NET_10.1.1.0_24</member></source>
+<destination><member>NET_10.1.2.0_24</member></destination>
+<service><member>tcp 80</member></service>
+<application><member>any</member></application>
+<rule-type>interzone</rule-type>
+</entry>
+</rules></security></rulebase>
+<address-group>
+</address-group>
+<address>
+<entry name="NET_10.1.1.0_24"><ip-netmask>10.1.1.0/24</ip-netmask></entry>
+<entry name="NET_10.1.2.0_24"><ip-netmask>10.1.2.0/24</ip-netmask></entry>
+</address>
+<service>
+<entry name="tcp 80"><protocol><tcp><port>80</port></tcp></protocol></entry>
+</service>
+</entry>
+=END=
+
 ############################################################
 =TITLE=Missing policy_distribution_point at management_instance
 =INPUT=