Virtual System Components and Segmentation
Table of Contents
Virtual System Components and Segmentation
A virtual system is an object that creates an administrative
boundary, as shown in the following figure.
A virtual system consists of a set of physical and logical interfaces
and subinterfaces (including VLANs and virtual wires), virtual routers,
and security zones. You choose the deployment mode(s) (any combination
of virtual wire, Layer 2, or Layer 3) of each virtual system. By
using virtual systems, you can segment any of the following:
- Administrative access
- The management of all policies (Security, NAT, QoS, Policy-based Forwarding, Decryption, Application Override, Tunnel Inspection, Authentication, and DoS protection)
- All objects (such as address objects, application groups and filters, external dynamic lists, security profiles, decryption profiles, custom objects, etc.)
- User-ID
- Certificate management
- Server profiles
- Logging, reporting, and visibility functions
Virtual systems affect the security functions of the firewall,
but virtual systems alone do not affect networking functions such
as static and dynamic routing. You can segment routing for each
virtual system by creating one or more virtual routers for each
virtual system, as in the following use cases:
- If you have virtual systems for departments of one organization, and the network traffic for all of the departments is within a common network, you can create a single virtual router for multiple virtual systems.
- If you want routing segmentation and each virtual system’s traffic must be isolated from other virtual systems, you can create one or more virtual routers for each virtual system.
- If you want to segment the user mappings so that not all mappings are shared across virtual systems, you can configure the User-ID sources on a virtual system that is not a User-ID hub. See Share User-ID Mappings Across Virtual Systems.