Configure Virtual Systems
Focus
Focus

Configure Virtual Systems

Table of Contents

Configure Virtual Systems

Creating a virtual system requires that you have the following:
(
Panorama managed firewalls
) For firewalls managed by a Panorama management server, Palo Alto Networks recommends making note of all policy rule Target lists you added the managed firewall to on Panorama before you change the virtual system configuration status to ensure you maintain your security posture.
Changing the managed firewall multi-vsys status impacts all policy rules where the managed firewall was added to the policy Target list. Changing the multi-vsys status in any way removes the firewall from the Target list from the Panorama-managed policy rule, impacting which firewalls Panorama pushes the policy rule to. If the removed firewall was the only Target, then the rule is now pushed to all firewalls associated with the impacted device group.
  • In the case of
    deny
    policy rules, this may result in some firewalls denying sessions they previously allowed.
  • In the case of
    allow
    policy rules, this may result in some firewalls allowing sessions they previously denied.
  1. Enable virtual systems.
    1. Select
      Device
      Setup
      Management
      and edit the
      General Settings
      .
    2. Select the
      Multi Virtual System Capability
      check box and click
      OK
      . This action triggers a commit if you approve it.
      Only after enabling virtual systems will the
      Device
      tab display the
      Virtual Systems
      and
      Shared Gateways
      options.
  2. Create a virtual system.
    1. Select
      Device
      Virtual Systems
      , click
      Add
      and enter a virtual system
      ID
      , which is appended to “vsys” (range is 1-255).
      The default is
      vsys1
      . You cannot delete vsys1 because it is relevant to the internal hierarchy on the firewall; vsys1 appears even on firewall models that don’t support multiple virtual systems.
    2. Select
      Allow forwarding of decrypted content
      if you want to allow the firewall to forward decrypted content to an outside service. For example, you must enable this option for the firewall to be able to send decrypted content to WildFire for analysis.
    3. Enter a descriptive
      Name
      for the virtual system. A maximum of 31 alphanumeric, space, and underscore characters is allowed.
  3. Assign interfaces to the virtual system.
    The virtual routers, virtual wires, or VLANs can either be configured already or you can configure them later, at which point you specify the virtual system associated with each.
    1. On the
      General
      tab, select a
      DNS Proxy
      object if you want to apply DNS proxy rules to the interface.
    2. In the
      Interfaces
      field, click
      Add
      to enter the interfaces or subinterfaces to assign to the virtual system. An interface can belong to only one virtual system.
    3. Do any of the following, based on the deployment type(s) you need in the virtual system:
      • In the
        VLANs
        field, click
        Add
        to enter the VLAN(s) to assign to the vsys.
      • In the
        Virtual Wires
        field, click
        Add
        to enter the virtual wire(s) to assign to the vsys.
      • In the
        Virtual Routers
        field, click
        Add
        to enter the virtual router(s) to assign to the vsys.
    4. In the
      Visible Virtual System
      field, check all virtual systems that should be made visible to the virtual system being configured. This is required for virtual systems that need to communicate with each other.
      In a multi-tenancy scenario where strict administrative boundaries are required, no virtual systems would be checked.
    5. Click
      OK
      .
  4. (
    Optional
    ) Limit the resource allocations for sessions, rules, and VPN tunnels allowed for the virtual system. The flexibility of being able to allocate limits per virtual system allows you to effectively control firewall resources.
    1. On the
      Resource
      tab, optionally set limits for a virtual system. Each field displays the valid range of values, which varies per firewall model. The default setting is 0, which means the limit for the virtual system is the limit for the firewall model. However, the limit for a specific setting isn’t replicated for each virtual system. For example, if a firewall has four virtual systems, each virtual system can’t have the total number of Decryption Rules allowed per firewall. After the total number of Decryption Rules for all of the virtual systems reaches the firewall limit, you cannot add more.
      • Sessions Limit
        If you use the show session meter CLI command, it displays the Maximum number of sessions allowed per dataplane, the Current number of sessions being used by the virtual system, and the Throttled number of sessions per virtual system. On a PA-5200 or PA-7000 Series firewall, the Current number of sessions being used can be greater than the Maximum configured for Sessions Limit because there are multiple dataplanes per virtual system. The Sessions Limit you configure on a PA-5200 Series or PA-7000 Series firewall is per dataplane, and will result in a higher maximum per virtual system.
      • Security Rules
      • NAT Rules
      • Decryption Rules
      • QoS Rules
      • Application Override Rules
      • Policy Based Forwarding Rules
      • Authentication Rules
      • DoS Protection Rules
      • Site to Site VPN Tunnels
      • Concurrent SSL VPN Tunnels
    2. Click
      OK
      .
  5. (
    Optional
    ) Configure a virtual system as a User-ID hub to Share User-ID Mappings Across Virtual Systems.
    IP-address-and-port-to-username mapping information from Terminal Server agents and group mapping data is not shared between the virtual system hub and the connected virtual systems.
    1. For any existing virtual systems, transfer the configuration for the User-ID sources you want to share (such as monitored servers and User-ID agents) to the virtual system you will use as a hub.
    2. On the
      Resource
      tab, select
      Make this vsys a User-ID data hub
      .
    3. Click
      Yes
      to confirm, then click
      OK
      .
      If you want to change the User-ID hub to a different virtual system or disable it, select the virtual system currently configured as a User-ID hub, then select
      Resource
      Change Hub
      .
      Select the
      New User-ID hub
      from the list, or select
      none
      to disable the User-ID hub and stop sharing mappings across virtual systems.
      Click
      Proceed
      to confirm and commit your changes.
  6. Commit the configuration.
    Click
    Commit
    . The virtual system is now an object accessible from the
    Objects
    tab.
  7. Create at least one virtual router for the virtual system in order to make the virtual system capable of networking functions, such as static and dynamic routing.
    Alternatively, your virtual system might use a VLAN or a virtual wire, depending on your deployment.
    1. Select
      Network
      Virtual Routers
      and
      Add
      a virtual router by
      Name
      .
    2. For
      Interfaces
      , click
      Add
      and select the interfaces that belong to the virtual router.
    3. Click
      OK
      .
  8. Configure a security zone for each interface in the virtual system.
    For at least one interface, create a Layer 3 security zone. See Configure Interfaces and Zones.
  9. Configure the security policy rules that allow or deny traffic to and from the zones in the virtual system.
  10. Commit the configuration.
    Click
    Commit
    .
    After creating a virtual system, you can use the CLI to commit a configuration for only a specific virtual system:
    commit partial vsys
    <vsys-id>
  11. (
    Optional
    ) View the security policies configured for a virtual system.
    Open an SSH session to use the CLI. To view the security policies for a virtual system, in operational mode, use the following commands:
    set system setting target-vsys
    <vsys-id>
    show running security-policy

Recommended For You