A virtual system is an object that creates an administrative
boundary, as shown in the following figure.
A virtual system consists of a set of physical and logical interfaces
and subinterfaces (including VLANs and virtual wires), virtual routers,
and security zones. You choose the deployment mode(s) (any combination
of virtual wire, Layer 2, or Layer 3) of each virtual system. By
using virtual systems, you can segment any of the following:
Administrative access
The management of all policies (Security, NAT, QoS, Policy-based
Forwarding, Decryption, Application Override, Tunnel Inspection,
Authentication, and DoS protection)
All objects (such as address objects, application groups
and filters, external dynamic lists, security profiles, decryption
profiles, custom objects, etc.)
User-ID
Certificate management
Server profiles
Logging, reporting, and visibility functions
Virtual systems affect the security functions of the firewall,
but virtual systems alone do not affect networking functions such
as static and dynamic routing. You can segment routing for each
virtual system by creating one or more virtual routers for each
virtual system, as in the following use cases:
If you have virtual systems for departments of one organization,
and the network traffic for all of the departments is within a common
network, you can create a single virtual router for multiple virtual systems.
If you want routing segmentation and each virtual system’s
traffic must be isolated from other virtual systems, you can create
one or more virtual routers for each virtual system.
If you want to segment the user mappings so that not all
mappings are shared across virtual systems, you can configure the
User-ID sources on a virtual system that is not a User-ID hub. See Share User-ID Mappings Across Virtual Systems.