PAN-OS® Web Interface Reference Guide
  1. Home
  2. PAN-OS
  3. PAN-OS® Web Interface Reference Guide
  4. Device
  5. Device > Virtual Systems
Previous
Next
A virtual system (vsys) is an independent (virtual) firewall instance that you can separately manage within a physical firewall. Each vsys can be an independent firewall with its own security policy, interfaces, and administrators; a vsys enables you to segment the administration of all policies, reporting, and visibility functions that the firewall provides. For example, if you want to customize the security features for the traffic that is associated with your Finance department, you can define a Finance vsys and then define security policies that pertain only to that department. To optimize policy administration, you can maintain separate administrator accounts for overall firewall and network functions while creating vsys administrator accounts that allow access to individual vsys. This allows the vsys administrator in the Finance department to manage the security policies only for that department.
Networking functions, including static and dynamic routing, pertain to an entire firewall and all its vsys; vsys do not control firewall- and network-level functions. For each vsys, you can specify a collection of physical and logical firewall interfaces (including VLANs and virtual wires) and security zones. If you require routing segmentation for each vsys, you must create/assign additional virtual routers and assign interfaces, VLANs, and virtual wires as needed.
If you use a Panorama template to define vsys, you can set one vsys as the default. The default vsys and Multiple Virtual Systems mode determine whether firewalls accept vsys-specific configurations during a template commit:
Firewalls that are in Multiple Virtual Systems mode accept vsys-specific configurations for all vsys that are defined in the template. Firewalls that are not in Multiple Virtual Systems mode accept vsys-specific configurations only for the default vsys. Note that if you do not set a vsys as the default, these firewalls accept no vsys-specific configurations.
The PA-4000, PA-5000, and PA-7000 Series firewalls support multiple virtual systems. The PA-2000 and PA-3000 Series firewalls can support multiple virtual systems only if the appropriate license is installed. The PA-200 and PA-500 firewalls do not support multiple virtual systems.
Additional points to consider before enabling multiple virtual systems:
A vsys administrator creates and manages all items needed for policies. Zones are objects within vsys. Before defining a policy or policy object, select the Virtual System from the drop-down on the Policies or Objects tab. You can set remote logging destinations (SNMP, syslog, and email), applications, services, and profiles to be available to all vsys (shared) or to a single vsys. You can configure global (to all vsys on a firewall) or vsys-specific service routes (see Device > Setup > Services). You can rename a vsys only on the local firewall. On Panorama, renaming a vsys is not supported. If you rename a vsys on Panorama, you will create an entirely new vsys, or the new vsys name may get mapped to the wrong vsys on the firewall.
Before defining vsys, you must first enable the multiple vsys capability on the firewall—select Device > Setup > Management, edit the General Settings, select Multi Virtual System Capability, and click OK. This adds a Device > Virtual Systems page. Select the page, click Add, and specify the following information.
Virtual System Setting Description
ID Enter an integer identifier for the vsys. Refer to the data sheet for your firewall model for information on the number of supported vsys. If you use a Panorama template to configure the vsys, this field does not appear.
Name Enter a name (up to 31 characters) to identify the vsys. The name is case-sensitive and must be unique. Use only letters, numbers, spaces, hyphens, and underscores. If you use a Panorama template to push vsys configurations, the vsys name in the template must match the vsys name on the firewall.
Allow Forwarding of Decrypted Content Select this option to allow the virtual system to forward decrypted content to an outside service when port mirroring or sending WildFire files for analysis. For information on Decryption Port Mirroring, see Decryption Port Mirroring .
General Tab Select a DNS Proxy object if you want to apply DNS proxy rules to this vsys. See Network > DNS Proxy. To include objects of a particular type, select that type (interface, VLAN, virtual wire, virtual router, or visible virtual system), click Add, and select the object from the drop-down. You can add one or more objects of any type. To remove an object, select it and click Delete.
Resource Tab Specify the resource limits allowed for this virtual system. Each field displays the valid ranges; there are no default values. Sessions Limit —Maximum number of sessions. (If you use the show session meter CLI command, it displays the Maximum number of sessions allowed per dataplane, the Current number of sessions being used by the virtual system, and the Throttled number of sessions per virtual system. On a PA-7000 Series firewall, the Current number of sessions can be greater than the Maximum configured for Sessions Limit because there are multiple dataplanes per virtual system. The Sessions Limit you configure on a PA-7000 Series firewall is per dataplane, and will result in a higher maximum per virtual system.) Security Rules —Maximum number of security rules. NAT Rules —Maximum number of NAT rules. Decryption Rules —Maximum number decryption rules. QoS Rules —Maximum number of QoS rules. Application Override Rules —Maximum number of application override rules. Policy Based Forwarding Rules —Maximum number of policy based forwarding (PBF) rules. Captive Portal Rules —Maximum number of captive portal (CP) rules. DoS Protection Rules —Maximum number of denial of service (DoS) rules. Site to Site VPN Tunnels —Maximum number of site-to-site VPN tunnels. Concurrent GlobalProtect Tunnels —Maximum number of concurrent remote GlobalProtect users.
Previous
Next

Related Documentation

Configure Virtual Systems

Configure Virtual Systems Creating a virtual system requires that you have the following: A superuser administrative role. An interface configured. A Virtual Systems license if ...

CLI Jump Start

CLI Jump Start The following table provides quick start information for configuring the features of Palo Alto Networks devices from the CLI. Where applicable for ...

CLI Cheat Sheet: VSYS

CLI Cheat Sheet: VSYS Use the following commands to administer a Palo Alto Networks firewall with multiple virtual system (multi-vsys) capability. You must have superuser, ...

Move or Clone a Policy Rule or Object to a Different Virtual System

Move or Clone a Policy Rule or Object to a Different Virtual System On a firewall that has more than one virtual system (vsys), you ...

Configure QoS for a Virtual System

Configure QoS for a Virtual System QoS can be configured for a single or several virtual systems configured on a Palo Alto Networks firewall. Because ...

PAN-OS 7.1.8 Addressed Issues

PAN-OS 7.1.8 Addressed Issues The following table lists the issues that are addressed in the PAN-OS® 7.1.8 release. For new features, associated software versions, known ...

Add a Template

Add a Template You must add at least one template before Panorama will display the Device and Network tabs required to define the network set ...

Configure a Template Stack

Configure a Template Stack A template stack is a combination of templates: Panorama pushes the settings from every template in the stack to the firewalls ...

Commit Configuration Changes

Commit Configuration Changes Any change in the Palo Alto Networks device configuration is first written to the candidate configuration. The change only takes effect on ...

Configure a Shared Gateway

Configure a Shared Gateway Perform this task if you need multiple virtual systems to share an interface (a Shared Gateway ) to the Internet. This ...

© 2019 Palo Alto Networks, Inc. All rights reserved.