Strata Cloud Manager

1. Log in to Strata Cloud Manager.
2. From the Config Scope drop-down, select a firewall that supports Multi-Vsys.
3. Enable virtual systems.

   1. Log in to SCM.
   2. Select ConfigurationNGFW and Prisma AccessDeviceVirtual Systems and click the Enable Multi Virtual System.
   3. Click Enable to confirm.
4. Create a virtual system.

   1. Select ConfigurationNGFW and Prisma AccessDeviceVirtual Systemsand click Add Virtual System

      The default is vsys1. You cannot delete vsys1 because it is relevant to the internal hierarchy on the firewall.
   2. Enter a descriptive Name for the virtual system. A maximum of 31 alphanumeric, space, and underscore characters is allowed.
   3. Select Allow forwarding of decrypted content if you want to allow the firewall to forward decrypted content to an outside service. For example, you must enable this option for the firewall to be able to send decrypted content to WildFire for analysis.
   4. Select a DNS Proxy object if you want to apply DNS proxy rules to the interface.
5. Configure the Interface and Router tab.

   The virtual routers, virtual wires, or VLANs can either be configured already or you can configure them later, at which point you specify the virtual system associated with each.

   1. In the Interfaces field, click the plus (+) icon to enter the interfaces or subinterfaces to assign to the virtual system. An interface can belong to only one virtual system.
   2. Do any of the following, based on the deployment type(s) you need in the virtual system:
   3. Add the Virtual Wires to assign to the vsys.
   4. Add the Logical Routers to assign to the vsys.
6. (Optional) Limit the resource allocations for sessions, rules, and VPN tunnels allowed for the virtual system. The flexibility of being able to allocate limits per virtual system allows you to effectively control firewall resources.

   1. On the Resource tab, optionally set limits for a virtual system. Each field displays the valid range of values, which varies per firewall model. The default setting is 0, which means the limit for the virtual system is the limit for the firewall model. However, the limit for a specific setting isn’t replicated for each virtual system. For example, if a firewall has four virtual systems, each virtual system can’t have the total number of Decryption Rules allowed per firewall. After the total number of Decryption Rules for all of the virtual systems reaches the firewall limit, you cannot add more.

      • Sessions Limit

        If you use the show session meter CLI command, it displays the Maximum number of sessions allowed per dataplane, the Current number of sessions being used by the virtual system, and the Throttled number of sessions per virtual system. On a PA-5200 or PA-7000 Series firewall, the Current number of sessions being used can be greater than the Maximum configured for Sessions Limit because there are multiple dataplanes per virtual system. The Sessions Limit you configure on a PA-5200 Series or PA-7000 Series firewall is per dataplane, and will result in a higher maximum per virtual system.
      • Security Rules
      • NAT Rules
      • Decryption Rules
      • QoS Rules
      • Application Override Rules
      • Policy Based Forwarding Rules
      • Authentication Rules
      • DoS Protection Rules
      • Site to Site VPN Tunnels
      • Concurrent SSL VPN Tunnels
   2. Click OK.
7. Commit the configuration.

   Click Commit. The virtual system is now an object accessible from the Objects tab.
8. Create at least one virtual router for the virtual system in order to make the virtual system capable of networking functions, such as static and dynamic routing.

   Alternatively, your virtual system might use a virtual wire, depending on your deployment.

   1. Select NetworkVirtual Routers and Add a virtual router by Name.
   2. For Interfaces, click Add and select the interfaces that belong to the virtual router.
   3. Click OK.