An ISP that has multiple customers on a firewall (known
as multi-tenancy) can use a virtual system for each customer, and
thereby give each customer control over its virtual system configuration.
The ISP grants
permission to customers.
Each customer’s traffic and management are isolated from the others.
Each virtual system must be configured with its own IP address and one
or more virtual routers in order to manage traffic and its own connection
to the Internet.
If the virtual systems need to communicate with each other, that
traffic goes out the firewall to another Layer 3 routing device
and back to the firewall, even though the virtual systems exist
on the same physical firewall, as shown in the following figure.