CLI Cheat Sheet: VSYS
Use the following commands to administer a Palo Alto Networks firewall with multiple virtual system (multi-vsys) capability. You must have superuser, superuser (read-only), device administrator, or device administrator (read-only) access to use these commands. These commands are not available for virtual system administrator or virtual system administrator (read-only) roles.
If you want to . . .
Use . . .
admin@PA> show system info | match vsys multi-vsys: on
admin@PA> set system setting target-vsys ? none none vsys1 vsys1 vsys2 vsys2 <value> <value>
admin@PA> set system setting target-vsys <vsys-name>
For example, use the following command to switch to vsys2; note that the vsys name is case sensitive:
> set system setting target-vsys vsys2 Session target vsys changed to vsys2 admin@PA-vsys2>
Notice that the command prompt now shows the name of the vsys you are now administering.
admin@PA> show session meter
VSYS Maximum Current Throttled
1 10 30 1587
Maximum indicates the maximum number of sessions allowed per dataplane, Current indicates the number of sessions being used by the virtual system, and Throttled indicates the number of sessions denied for the virtual system because the sessions exceeded the Maximum number multiplied by the number of dataplanes in the system.
As shown in this example, on a PA-5200 Series or PA-7000 Series firewall, the Current number of sessions being used can be greater than the Maximum configured for Sessions Limit (Device > Virtual Systems > Resource) because there are multiple dataplanes per virtual system. The Sessions Limit you configure on a PA-5200 or PA-7000 Series firewall is per dataplane, and will result in a higher maximum per virtual system.
admin@PA-vsys2> show user ip-user-mapping all
admin@PA-vsys2> set system setting target-vsys none admin@PA>
Configure Virtual Systems
Configure Virtual Systems Creating a virtual system requires that you have the following: A superuser administrative role. An interface configured. A Virtual Systems license if ...
Device > Virtual Systems
Device > Virtual Systems A virtual system (vsys) is an independent (virtual) firewall instance that you can separately manage within a physical firewall. Each vsys ...
Test the Authentication Configuration
Test the Authentication Configuration Use the test authentication command to determine if your firewall or Panorama management server can communicate with a back-end authentication server ...
CLI Cheat Sheets
CLI Cheat Sheets CLI Cheat Sheet: Device Management CLI Cheat Sheet: User-ID CLI Cheat Sheet: Networking CLI Cheat Sheet: VSYS CLI Cheat Sheet: Panorama ...
Test Authentication Server Connectivity
Test Authentication Server Connectivity The test authentication feature enables you to verify whether the firewall or Panorama can communicate with the authentication server specified in ...
Set Up VM Monitoring on Azure
To start collecting IP address-to-tag mapping, set up the VM Monitoring agent to execute as a cron task. ...
Configure QoS for a Virtual System
Configure QoS for a Virtual System QoS can be configured for a single or several virtual systems configured on a Palo Alto Networks firewall. Because ...
Reserve Dynamic IP NAT Addresses
Reserve Dynamic IP NAT Addresses You can reserve Dynamic IP NAT addresses (for a configurable period of time) to prevent them from being allocated as ...
Modify the Configuration
Modify the Configuration You can also modify the device configuration from the CLI using the set , delete , and edit commands (if your administrative ...