Creating a virtual system requires that you have the following:
An interface configured.
A Virtual Systems license if you are configuring a PA-2000 or PA-3000 Series firewall, or if you are creating more than the base number of virtual systems supported on the platform. See
Platform Support and Licensing for Virtual Systems.
Configure a Virtual System
Enable virtual systems.
Device > Setup > Management
and edit the
Multi Virtual System Capability
check box and click
OK. This action triggers a commit if you approve it.
Only after enabling virtual systems will the
tab display the
Create a virtual system.
Device > Virtual Systems, click
and enter a virtual system
ID, which is appended to “vsys” (range is 1-255).
The default ID is 1, which makes the default virtual system
vsys1. This default appears even on platforms that do not support multiple virtual systems.
Allow forwarding of decrypted content
check box if you want to allow the firewall to forward decrypted content to an outside service. For example, you must enable this option for the firewall to be able to send decrypted content to WildFire for analysis.
Enter a descriptive
for the virtual system. A maximum of 31 alphanumeric, space, and underscore characters is allowed.
Assign interfaces to the virtual system.
The virtual routers, vwires, or VLANs can either be configured already or you can configure them later, at which point you specify the virtual system associated with each.
tab, select a
object if you want to apply DNS proxy rules to the interface.
to enter the interfaces or subinterfaces to assign to the virtual system. An interface can belong to only one virtual system.
Do any of the following, based on the deployment type(s) you need in the virtual system:
to enter the VLAN(s) to assign to the vsys.
to enter the virtual wire(s) to assign to the vsys.
to enter the virtual router(s) to assign to the vsys.
Visible Virtual System
field, check all virtual systems that should be made visible to the virtual system being configured. This is required for virtual systems that need to communicate with each other.
In a multi-tenancy scenario where strict administrative boundaries are required, no virtual systems would be checked.
(Optional) Limit the resource allocations for sessions, rules, and VPN tunnels allowed for the virtual system. The flexibility of being able to allocate limits per virtual system allows you to effectively control firewall resources.
tab, optionally set limits for a virtual system. Each field displays the valid range of values; there are no default values.
If you use the
show session meter
CLI command, it displays the Maximum number of sessions allowed per dataplane, the Current number of sessions being used by the virtual system, and the Throttled number of sessions per virtual system. On a PA-7000 Series firewall, the Current number of sessions being used can be greater than the Maximum configured for Sessions Limit because there are multiple dataplanes per virtual system. The Session Limit you configure on a PA-7000 Series firewall is per dataplane, and will result in a higher maximum per virtual system.
Application Override Rules
Policy Based Forwarding Rules
Captive Portal Rules
DoS Protection Rules
Site to Site VPN Tunnels
Concurrent SSL VPN Tunnels
Save the configuration.
OK. The virtual system is now an object accessible from the
Create at least one virtual router for the virtual system in order to make the virtual system capable of networking functions, such as static and dynamic routing.
Alternatively, your virtual system might use a VLAN or a virtual wire, depending on your deployment.
Network > Virtual Routers
a virtual router by
and from the drop-down, select the interfaces that belong to the virtual router.
Configure a security zone for each interface in the virtual system.
After creating a virtual system, you can use the CLI to commit a configuration for only a specific virtual system:
commit partial vsys vsys<id>
(Optional) View the security policies configured for a virtual system.
Open an SSH session to use the CLI. To view the security policies for a virtual system, in operational mode, use the following commands:
set system setting target-vsys <vsys-id>
show running security-policy