Virtual System Components and Segmentation
A virtual system is an object that creates an administrative boundary, as shown in the following figure.
A virtual system consists of a set of physical and logical interfaces and subinterfaces (including VLANs and virtual wires), virtual routers, and security zones. You choose the deployment mode(s) (any combination of virtual wire, Layer 2, or Layer 3) of each virtual system. By using virtual systems, you can segment any of the following:
- Administrative access
- The management of all policies (Security, NAT, QoS, Policy-based Forwarding, Decryption, Application Override, Tunnel Inspection, Authentication, and DoS protection)
- All objects (such as address objects, application groups and filters, external dynamic lists, security profiles, decryption profiles, custom objects, etc.)
- Certificate management
- Server profiles
- Logging, reporting, and visibility functions
Virtual systems affect the security functions of the firewall, but virtual systems alone do not affect networking functions such as static and dynamic routing. You can segment routing for each virtual system by creating one or more virtual routers for each virtual system, as in the following use cases:
- If you have virtual systems for departments of one organization, and the network traffic for all of the departments is within a common network, you can create a single virtual router for multiple virtual systems.
- If you want routing segmentation and each virtual system’s traffic must be isolated from other virtual systems, you can create one or more virtual routers for each virtual system.
- If you want to segment the user mappings so that not all mappings are shared across virtual systems, you can configure the User-ID sources on a virtual system that is not a User-ID hub. See Share User-ID Mappings Across Virtual Systems.
Share User-ID Mappings Across Virtual Systems
To share IP address-to-username mappings across virtual systems, assign a virtual system as a User-ID hub. ...
Shared User-ID Mappings Across Virtual Systems
To easily enforce user-based policy in a multi-vsys environment, you can assign a virtual system as the User-ID hub to share mappings with other virtual ...
Virtual System Functionality with Other Features
Virtual System Functionality with Other Features Many firewall features and functionality are capable of being configured, viewed, logged, or reported per virtual system. Therefore, virtual ...
Device > Virtual Systems
Device > Virtual Systems A virtual system (vsys) is an independent (virtual) firewall instance that you can separately manage within a physical firewall. Each vsys ...
Configure Virtual Systems
Configure Virtual Systems Creating a virtual system requires that you have the following: A superuser administrative role. An interface configured. A Virtual Systems license if ...
Benefits of Virtual Systems
Benefits of Virtual Systems Virtual systems provide the same basic functions as a physical firewall, along with additional benefits: Segmented administration —Different organizations (or customers ...
Deploy User-ID in a Large-Scale Network
Deploy User-ID in a Large-Scale Network A large-scale network can have hundreds of information sources that firewalls query to map IP addresses to usernames and ...
Virtual Systems Overview
Virtual Systems Overview Virtual systems are separate, logical firewall instances within a single physical Palo Alto Networks firewall. Rather than using multiple firewalls, managed service ...
PAN-OS 9.0 includes WinRM Support for Server Monitoring, Shared User-ID Mappings Across Virtual Systems, and User-ID Support for Large Numbers of Terminal Servers. ...