Learn about Virtual Systems on Palo Alto Networks NGFW.
Where Can I Use This?
What Do I Need?
NGFW (Managed by PAN-OS or Panorama)
Virtual Systems
license for any virtual systems beyond the base
number supported by each NGFW series.
A shared gateway is an interface that multiple virtual systems share in order to
communicate over the Internet. Each virtual system requires an External Zone, which acts as an intermediary, for
configuring security policies that allow or deny traffic from the virtual system’s
internal zone to the shared gateway.
The shared gateway uses a single virtual router to route traffic for all virtual systems.
A shared gateway is used in cases when an interface does not need a full administrative
boundary around it, or when multiple virtual systems must share a single Internet
connection. This second case arises if an ISP provides an organization with only one IP
address (interface), but multiple virtual systems need external communication.
Unlike the behavior between virtual systems, security policy and App-ID evaluations are
not performed between a virtual system and a shared gateway. That is why using a shared
gateway to access the Internet involves less overhead than creating another virtual
system to do so.
In the following figure, three customers share a firewall, but there is only one
interface accessible to the Internet. Creating another virtual system would add the
overhead of App-ID and security policy evaluation for traffic being sent to the
interface through the added virtual system. To avoid adding another virtual system, the
solution is to configure a shared gateway, as shown in the following diagram.
The shared gateway has one globally-routable IP address used to communicate with the
outside world. Interfaces in the virtual systems have IP addresses too, but they can be
private, non-routable IP addresses.
You will recall that an administrator must specify whether a virtual system is visible to
other virtual systems. Unlike a virtual system, a shared gateway is always visible to
all of the virtual systems on the firewall.
A shared gateway ID number appears as sg<ID> on the web interface. It is recommended that you name your shared gateway
with a name that includes its ID number.
When you add objects such as zones or interfaces to a shared gateway, the shared gateway
appears as an available virtual system in the vsys menu.
A shared gateway is a limited version of a virtual system; it supports NAT and
policy-based forwarding (PBF), but does not support Security, DoS policies, QoS,
Decryption, Application Override, or Authentication policies.
Networking Considerations for a Shared Gateway
Keep the following in mind while you are configuring a shared gateway.
The virtual systems in a shared gateway scenario access the Internet through
the shared gateway’s physical interface, using a single IP address. If the
IP addresses of the virtual systems are not globally routable, configure
source NAT to translate those addresses to globally-routable IP
addresses.
A virtual router routes the traffic for all of the virtual systems through
the shared gateway.
The default route for the virtual systems should point to the shared
gateway.
Security policies must be configured for each virtual system to allow the
traffic between the internal zone and external zone, which is visible to the
shared gateway.
A firewall administrator should control the virtual router, so that no member
of a virtual system can affect the traffic of other virtual systems.
Within a Palo Alto Networks firewall, a packet may hop from one virtual
system to another virtual system or a shared gateway. A packet may not
traverse more than two virtual systems or shared gateways. For example, a
packet cannot go from vsys1 to vsys2 to vsys3, or similarly from vsys1 to
vsys2 to shared gateway1. Both examples involve more than two virtual
systems, which is not permitted.
To save configuration time and effort, consider the following advantages of a shared
gateway:
Rather than configure NAT for multiple virtual systems associated with a
shared gateway, you can configure NAT for the shared gateway.
Rather than configure policy-based routing (PBR) for multiple virtual systems
associated with a shared gateway, you can configure PBR for the shared
gateway.