Configure Virtual Systems
Creating a virtual system requires that you have the following:
- Asuperuseradministrative role.
- An interface configured.
- A Virtual Systems license if you are configuring a PA-3000 Series firewall, or if you are creating more than the base number of virtual systems supported on the platform. See Platform Support and Licensing for Virtual Systems.
- Enable virtual systems.
- Selectand edit theDeviceSetupManagementGeneral Settings.
- Select theMulti Virtual System Capabilitycheck box and clickOK. This action triggers a commit if you approve it.Only after enabling virtual systems will theDevicetab display theVirtual SystemsandShared Gatewaysoptions.
- Create a virtual system.
- Select, clickDeviceVirtual SystemsAddand enter a virtual systemID, which is appended to “vsys” (range is 1-255).The default ID is 1, which makes the default virtual systemvsys1. This default appears even on platforms that do not support multiple virtual systems.
- SelectAllow forwarding of decrypted contentif you want to allow the firewall to forward decrypted content to an outside service. For example, you must enable this option for the firewall to be able to send decrypted content to WildFire for analysis.
- Enter a descriptiveNamefor the virtual system. A maximum of 31 alphanumeric, space, and underscore characters is allowed.
- Assign interfaces to the virtual system.The virtual routers, virtual wires, or VLANs can either be configured already or you can configure them later, at which point you specify the virtual system associated with each.
- On theGeneraltab, select aDNS Proxyobject if you want to apply DNS proxy rules to the interface.
- In theInterfacesfield, clickAddto enter the interfaces or subinterfaces to assign to the virtual system. An interface can belong to only one virtual system.
- Do any of the following, based on the deployment type(s) you need in the virtual system:
- In theVLANsfield, clickAddto enter the VLAN(s) to assign to the vsys.
- In theVirtual Wiresfield, clickAddto enter the virtual wire(s) to assign to the vsys.
- In theVirtual Routersfield, clickAddto enter the virtual router(s) to assign to the vsys.
- In theVisible Virtual Systemfield, check all virtual systems that should be made visible to the virtual system being configured. This is required for virtual systems that need to communicate with each other.In a multi-tenancy scenario where strict administrative boundaries are required, no virtual systems would be checked.
- (Optional) Limit the resource allocations for sessions, rules, and VPN tunnels allowed for the virtual system. The flexibility of being able to allocate limits per virtual system allows you to effectively control firewall resources.
- On theResourcetab, optionally set limits for a virtual system. Each field displays the valid range of values, which varies per firewall model. The default setting is 0, which means the limit for the virtual system is the limit for the firewall model. However, the limit for a specific setting isn’t replicated for each virtual system. For example, if a firewall has four virtual systems, each virtual system can’t have the total number of Decryption Rules allowed per firewall. After the total number of Decryption Rules for all of the virtual systems reaches the firewall limit, you cannot add more.
- Sessions LimitIf you use the show session meter CLI command, it displays the Maximum number of sessions allowed per dataplane, the Current number of sessions being used by the virtual system, and the Throttled number of sessions per virtual system. On a PA-5200 or PA-7000 Series firewall, the Current number of sessions being used can be greater than the Maximum configured for Sessions Limit because there are multiple dataplanes per virtual system. The Sessions Limit you configure on a PA-5200 Series or PA-7000 Series firewall is per dataplane, and will result in a higher maximum per virtual system.
- Security Rules
- NAT Rules
- Decryption Rules
- QoS Rules
- Application Override Rules
- Policy Based Forwarding Rules
- Authentication Rules
- DoS Protection Rules
- Site to Site VPN Tunnels
- Concurrent SSL VPN Tunnels
- (Optional) Configure a virtual system as a User-ID hub to Share User-ID Mappings Across Virtual Systems.IP-address-and-port-to-username mapping information from Terminal Server agents and group mapping data is not shared between the virtual system hub and the connected virtual systems.
- For any existing virtual systems, transfer the configuration for the User-ID sources you want to share (such as monitored servers and User-ID agents) to the virtual system you will use as a hub.
- On theResourcetab, selectMake this vsys a User-ID data hub.
- ClickYesto confirm, then clickOK.If you want to change the User-ID hub to a different virtual system or disable it, select the virtual system currently configured as a User-ID hub, then select. Select theResourceChange HubNew User-ID hubfrom the list, or selectnoneto disable the User-ID hub and stop sharing mappings across virtual systems. ClickProceedto confirm and commit your changes.
- Commit the configuration.ClickCommit. The virtual system is now an object accessible from theObjectstab.
- Create at least one virtual router for the virtual system in order to make the virtual system capable of networking functions, such as static and dynamic routing.Alternatively, your virtual system might use a VLAN or a virtual wire, depending on your deployment.
- SelectandNetworkVirtual RoutersAdda virtual router byName.
- ForInterfaces, clickAddand select the interfaces that belong to the virtual router.
- Configure a security zone for each interface in the virtual system.
- Configure the security policy rules that allow or deny traffic to and from the zones in the virtual system.
- Commit the configuration.ClickCommit.After creating a virtual system, you can use the CLI to commit a configuration for only a specific virtual system:commit partial vsys<vsys-id>
- (Optional) View the security policies configured for a virtual system.Open an SSH session to use the CLI. To view the security policies for a virtual system, in operational mode, use the following commands:set system setting target-vsys<vsys-id>show running security-policy
Device > Virtual Systems
Device > Virtual Systems A virtual system (vsys) is an independent (virtual) firewall instance that you can separately manage within a physical firewall. Each vsys ...
Shared User-ID Mappings Across Virtual Systems
To easily enforce user-based policy in a multi-vsys environment, you can assign a virtual system as the User-ID hub to share mappings with other virtual ...
Share User-ID Mappings Across Virtual Systems
To share IP address-to-username mappings across virtual systems, assign a virtual system as a User-ID hub. ...
Platform Support and Licensing for Virtual Systems
Platform Support and Licensing for Virtual Systems Virtual systems are supported on PA-3000 Series, PA-3200 Series, PA-5200 Series, and PA-7000 Series firewalls. Each firewall series ...
Configure a Shared Gateway
Configure a Shared Gateway Perform this task if you need multiple virtual systems to share an interface (a Shared Gateway ) to the Internet. This ...
Configure QoS for a Virtual System
Configure QoS for a Virtual System QoS can be configured for a single or several virtual systems configured on a Palo Alto Networks firewall. Because ...
Virtual System Functionality with Other Features
Virtual System Functionality with Other Features Many firewall features and functionality are capable of being configured, viewed, logged, or reported per virtual system. Therefore, virtual ...
Use Case 2: ISP Tenant Uses DNS Proxy to Handle DNS Resolut...
Use Case 2: ISP Tenant Uses DNS Proxy to Handle DNS Resolution for Security Policies, Reporting, and Services within its Virtual System In this use ...
Virtual System Components and Segmentation
Virtual System Components and Segmentation A virtual system is an object that creates an administrative boundary, as shown in the following figure. A virtual system ...