Virtual systems are separate, logical firewall instances within a single physical Palo Alto Networks firewall. Rather than using multiple firewalls, managed service providers and enterprises can use a single pair of firewalls (for high availability) and enable virtual systems on them. Each virtual system (vsys) is an independent, separately-managed firewall with its traffic kept separate from the traffic of other virtual systems.
This topic includes the following:
Virtual System Components and Segmentation
A virtual system is an object that creates an administrative boundary, as shown in the following figure.
A virtual system consists of a set of physical and logical interfaces and subinterfaces (including VLANs and virtual wires), virtual routers, and security zones. You choose the deployment mode(s) (any combination of virtual wire, Layer 2, or Layer 3) of each virtual system. By using virtual systems, you can segment any of the following:
Administrative access The management of all policies (security, NAT, QoS, policy-based forwarding, decryption, application override, captive portal, and DoS protection) All objects (such as address objects, application groups and filters, dynamic block lists, security profiles, decryption profiles, custom objects, etc.) User-ID Certificate management Server profiles Logging, reporting, and visibility functions
Virtual systems affect the security functions of the firewall, but virtual systems alone do not affect networking functions such as static and dynamic routing. You can segment routing for each virtual system by creating one or more virtual routers for each virtual system, as in the following use cases:
If you have virtual systems for departments of one organization, and the network traffic for all of the departments is within a common network, you can create a single virtual router for multiple virtual systems. If you want routing segmentation and each virtual system’s traffic must be isolated from other virtual systems, you can create one or more virtual routers for each virtual system.
Benefits of Virtual Systems
Virtual systems provide the same basic functions as a physical firewall, along with additional benefits:
Segmented administration —Different organizations (or customers or business units) can control (and monitor) a separate firewall instance, so that they have control over their own traffic without interfering with the traffic or policies of another firewall instance on the same physical firewall. Scalability—After the physical firewall is configured, adding or removing customers or business units can be done efficiently. An ISP, managed security service provider, or enterprise can provide different security services to each customer. Reduced capital and operational expenses —Virtual systems eliminate the need to have multiple physical firewalls at one location because virtual systems co-exist on one firewall. By not having to purchase multiple firewalls, an organization can save on the hardware expense, electric bills, and rack space, and can reduce maintenance and management expenses.
Use Cases for Virtual Systems
There are many ways to use virtual systems in a network. One common use case is for an ISP or a managed security service provider (MSSP) to deliver services to multiple customers with a single firewall. Customers can choose from a wide array of services that can be enabled or disabled easily. The firewall’s role-based administration allows the ISP or MSSP to control each customer’s access to functionality (such as logging and reporting) while hiding or offering read-only capabilities for other functions.
Another common use case is within a large enterprise that requires different firewall instances because of different technical or confidentiality requirements among multiple departments. Like the above case, different groups can have different levels of access while IT manages the firewall itself. Services can be tracked and/or billed back to departments to thereby make separate financial accountability possible within an organization.
Platform Support and Licensing for Virtual Systems
Virtual systems are supported on the PA-2000, PA-3000, PA-4000, PA-5000, and PA-7000 Series firewalls. Each firewall series supports a base number of virtual systems; the number varies by platform. A Virtual Systems license is required in the following cases:
To support multiple virtual systems on PA-2000 or PA-3000 Series firewalls. To create more than the base number of virtual systems supported on a platform.
For license information, see Activate Licenses and Subscriptions. For the base and maximum number of virtual systems supported, see Compare Firewalls tool.
Multiple virtual systems are not supported on the PA-200, PA-500 or VM-Series firewalls.
Administrative Roles for Virtual Systems
A superuser administrator can create virtual systems and add a Device Administrator, vsysadmin, or vsysreader. A Device Administrator can access all virtual systems, but cannot add administrators. The two types of virtual system administrative roles are:
vsysadmin—Has access to specific virtual systems on the firewall to create and manage specific aspects of virtual systems. A vsysadmin doesn’t have access to network interfaces, VLANs, virtual wires, virtual routers, IPSec tunnels, DHCP, DNS Proxy, QoS, LLDP, or network profiles. Persons with vsysadmin permission can commit configurations for only the virtual systems assigned to them. vsysreader—Has read-only access to specific virtual systems on the firewall and specific aspects of virtual systems. A vsysreader doesn’t have access to network interfaces, VLANs, virtual wires, virtual routers, IPSec tunnels, DHCP, DNS Proxy, QoS, LLDP, or network profiles.
A virtual system administrator can view logs of only the virtual systems assigned to that administrator. Someone with superuser or Device Admin permission can view all of the logs or select a virtual system to view.
Shared Objects for Virtual Systems
If your administrator account extends to multiple virtual systems, you can choose to configure objects (such as an address object) and policies for a specific virtual system or as shared objects, which apply to all of the virtual systems on the firewall. If you try to create a shared object with the same name and type as an existing object in a virtual system, the virtual system object is used.

Related Documentation