Virtual Systems
Focus
Focus
Next-Generation Firewall

Virtual Systems

Table of Contents

Virtual Systems

Learn about Virtual Systems on Palo Alto Networks NGFW.
Where Can I Use This?What Do I Need?
  • NGFW (Managed by PAN-OS or Panorama)
Virtual systems are separate, logical firewall instances within a single physical Palo Alto Networks firewall. Rather than using multiple firewalls, managed service providers and enterprises can use a single pair of firewalls (for high availability) and enable virtual systems on them. Each virtual system (vsys) is an independent, separately-managed firewall with its traffic kept separate from the traffic of other virtual systems.
There are many ways to use virtual systems in a network. One common use case is for an ISP or a managed security service provider (MSSP) to deliver services to multiple customers with a single firewall. Customers can choose from a wide array of services that can be enabled or disabled easily. The firewall’s role-based administration allows the ISP or MSSP to control each customer’s access to functionality (such as logging and reporting) while hiding or offering read-only capabilities for other functions.
Another common use case is within a large enterprise that requires different firewall instances because of different technical or confidentiality requirements among multiple departments. Like the above case, different groups can have different levels of access while IT manages the firewall itself. Services can be tracked and/or billed back to departments to thereby make separate financial accountability possible within an organization.
Virtual systems provide the same basic functions as a physical firewall, along with additional benefits:
  • Segmented administration—Different organizations (or customers or business units) can control (and monitor) a separate firewall instance, so that they have control over their own traffic without interfering with the traffic or policies of another firewall instance on the same physical firewall.
  • Scalability—After the physical firewall is configured, adding or removing customers or business units can be done efficiently. An ISP, managed security service provider, or enterprise can provide different security services to each customer.
  • Reduced capital and operational expenses—Virtual systems eliminate the need to have multiple physical firewalls at one location because virtual systems co-exist on one firewall. By not having to purchase multiple firewalls, an organization can save on the hardware expense, electric bills, and rack space, and can reduce maintenance and management expenses.
  • Ability to share IP-address-to-username mappings—By assigning a virtual system as a User-ID hub, you can share the IP-address-to-username mappings across virtual systems to leverage the full User-ID capacity of the firewall and reduce operational complexity.

Administrative Roles for Virtual Systems

A Superuser administrator can create virtual systems and add a Device administrator, vsysadmin, or vsysreader. A Device administrator can access all virtual systems, but cannot add administrators. When you create an Admin Role profile and select the role to be Virtual System, the role applies to specific virtual systems on the firewall. From the Command Line tab, the two types of virtual system administrative roles are:
  • vsysadmin—Has access to specific virtual systems on the firewall to create and manage specific aspects of virtual systems. A vsysadmin doesn’t have access to network interfaces, VLANs, virtual wires, virtual routers, IPSec tunnels, GRE tunnels, DHCP, DNS Proxy, QoS, LLDP, or network profiles. Persons with vsysadmin permission can commit configurations for only the virtual systems assigned to them.
  • vsysreader—Has read-only access to specific virtual systems on the firewall and specific aspects of virtual systems. A vsysreader doesn’t have access to network interfaces, VLANs, virtual wires, virtual routers, IPSec tunnels, GRE tunnels, DHCP, DNS Proxy, QoS, LLDP, or network profiles.
A virtual system administrator can view logs of only the virtual systems assigned to that administrator. A Superuser or Device administrator can view all of the logs, select a virtual system to view, or configure a virtual system as a User-ID hub.

Virtual System Functionality with Other Features

Many firewall features and functionality are capable of being configured, viewed, logged, or reported per virtual system. Therefore, virtual systems are mentioned in other relevant locations in the documentation and that information is not repeated here. Some of the specific chapters are the following: