Virtual Systems
Learn about Virtual Systems on Palo Alto Networks NGFW.
| Where Can I Use This? | What Do I Need? |
|---|
- NGFW (Managed by PAN-OS or Panorama)
|
|
Virtual systems are separate, logical firewall instances within a single physical Palo
Alto Networks firewall. Rather than using multiple firewalls, managed service providers
and enterprises can use a single pair of firewalls (for high availability) and enable
virtual systems on them. Each virtual system (vsys) is an independent,
separately-managed firewall with its traffic kept separate from the traffic of other
virtual systems.
There are many ways to use virtual systems in a network. One common use case is for an
ISP or a managed security service provider (MSSP) to deliver services to multiple
customers with a single firewall. Customers can choose from a wide array of services
that can be enabled or disabled easily. The firewall’s role-based administration allows
the ISP or MSSP to control each customer’s access to functionality (such as logging and
reporting) while hiding or offering read-only capabilities for other functions.
Another common use case is within a large enterprise that requires different firewall
instances because of different technical or confidentiality requirements among multiple
departments. Like the above case, different groups can have different levels of access
while IT manages the firewall itself. Services can be tracked and/or billed back to
departments to thereby make separate financial accountability possible within an
organization.
Virtual systems provide the same basic functions as a physical firewall, along with
additional benefits:
Segmented administration—Different organizations (or customers or business
units) can control (and monitor) a separate firewall instance, so that they have
control over their own traffic without interfering with the traffic or policies
of another firewall instance on the same physical firewall.
Scalability—After the physical firewall is configured, adding or removing
customers or business units can be done efficiently. An ISP, managed security
service provider, or enterprise can provide different security services to each
customer.
Reduced capital and operational expenses—Virtual systems eliminate the
need to have multiple physical firewalls at one location because virtual systems
co-exist on one firewall. By not having to purchase multiple firewalls, an
organization can save on the hardware expense, electric bills, and rack space,
and can reduce maintenance and management expenses.
Ability to share IP-address-to-username mappings—By assigning a virtual
system as a User-ID hub, you can share the IP-address-to-username mappings
across virtual systems to leverage the full User-ID capacity of the firewall and
reduce operational complexity.
Administrative Roles for Virtual Systems
A Superuser administrator can create virtual systems and add a
Device administrator, vsysadmin,
or vsysreader. A Device administrator
can access all virtual systems, but cannot add administrators. When you create an
Admin Role profile and select the role to be Virtual System,
the role applies to specific virtual systems on the firewall. From the
Command Line tab, the two types of virtual system
administrative roles are:
vsysadmin—Has access to specific virtual systems on the firewall to
create and manage specific aspects of virtual systems. A vsysadmin doesn’t
have access to network interfaces, VLANs, virtual wires, virtual routers,
IPSec tunnels, GRE tunnels, DHCP, DNS Proxy, QoS, LLDP, or network profiles.
Persons with vsysadmin permission can commit configurations for only the
virtual systems assigned to them.
vsysreader—Has read-only access to specific virtual systems on the
firewall and specific aspects of virtual systems. A vsysreader doesn’t have
access to network interfaces, VLANs, virtual wires, virtual routers, IPSec
tunnels, GRE tunnels, DHCP, DNS Proxy, QoS, LLDP, or network profiles.
A virtual system administrator can view logs of only the virtual systems assigned to
that administrator. A Superuser or Device
administrator can view all of the logs, select a virtual system to
view, or configure a virtual system as a User-ID hub.
Virtual System Functionality with Other Features
Many firewall features and functionality are capable of being configured, viewed,
logged, or reported per virtual system. Therefore, virtual systems are mentioned in
other relevant locations in the documentation and that information is not repeated
here. Some of the specific chapters are the following:
If you are configuring Active/Passive HA, the two firewalls must have the
same virtual system capability (single or multiple virtual system
capability). See
High Availability.
For information about configuring a firewall with virtual systems in a
virtual wire deployment that uses subinterfaces (and VLAN tags), see
Virtual Wire Interfaces.
