Device > Virtual Systems
A virtual system (vsys) is an independent (virtual) firewall instance that you can separately manage within a physical firewall. Each vsys can be an independent firewall with its own Security policy, interfaces, and administrators; a vsys enables you to segment the administration of all policies, reporting, and visibility functions that the firewall provides.
For example, if you want to customize the security features for the traffic that is associated with your Finance department, you can define a Finance vsys and then define security policies that pertain only to that department. To optimize policy administration, you can maintain separate administrator accounts for overall firewall and network functions while creating vsys administrator accounts that allow access to an individual vsys. This allows the vsys administrator in the Finance department to manage the Security policy for only that department.
Networking functions (such as static and dynamic routing, IP addresses of interfaces, and IPSec tunnels) pertain to an entire firewall and all of its virtual systems. A virtual system configuration (DeviceVirtual Systems) doesn’t control firewall-level and network-level functions (such as static and dynamic routing, IP addresses of interfaces, IPSec tunnels, VLANs, virtual wires, virtual routers, GRE tunnels, DHCP, DNS Proxy, QoS, LLDP and network profiles). For each vsys, you can specify a collection of physical and logical firewall interfaces (including VLANs and virtual wires) and security zones. If you require routing segmentation for each vsys, you must create and assign additional virtual routers and assign interfaces, VLANs, and virtual wires as needed.
If you use a Panorama template to define your virtual systems, you can configure one vsys to be the default. The default vsys and Multi Virtual System Capability determine whether a firewall accepts vsys-specific configurations during a template commit:
- Firewalls that have Multi Virtual System Capability enabled accept vsys-specific configurations for any vsys that is defined in the template.
- Firewalls that don’t have Multi Virtual System Capability enabled accept vsys-specific configurations only for the default vsys. If you do not configure a default vsys, then these firewalls will not accept vsys-specific configurations.PA-3000 Series, PA-3200 Series, PA-5200 Series, and PA-7000 Series firewalls support multiple virtual systems. However, PA-3000 Series and PA-3200 Series firewalls require a license for enabling multiple virtual systems. The PA-220 and PA-800 Series firewalls do not support multiple virtual systems.
Before enabling multiple virtual systems, consider the following:
- A vsys administrator creates and manages all items needed for Security policy per assigned virtual system.
- Zones are objects within a vsys. Before defining a policy or policy object, select the appropriate Virtual System from the drop-down on the Policies or Objects tab.
- You can set remote logging destinations (SNMP, syslog, and email), applications, services, and profiles to be available to all virtual systems (shared) or to a single vsys.
- If you have multiple virtual systems, you can select a vsys as a User-ID hub to share the IP address-to-username mapping information between virtual systems.
- You can configure globally (to all virtual systems on a firewall) or vsys-specific service routes (Device > Setup > Services).
- You can rename a vsys only on the local firewall. On Panorama, renaming a vsys is not supported. If you rename a vsys on Panorama, the result is an entirely new vsys or the new vsys name gets mapped to the wrong vsys on the firewall.
Before defining a vsys, you must first enable the multi-vsys functionality on the firewall. Select DeviceSetupManagement, edit the General Settings, select Multi Virtual System Capability, and click OK. This adds a DeviceVirtual Systems page. Select the page, Add a vsys, and specify the following information.
Virtual System Settings
Enter an integer identifier for the vsys. Refer to the data sheet for your firewall model for information on the number of supported virtual systems.
If you use a Panorama template to configure the vsys, this field does not appear.
Enter a name (up to 31 characters) to identify the vsys. The name is case-sensitive and must be unique. Use only letters, numbers, spaces, hyphens, and underscores.
If you use a Panorama template to push vsys configurations, the vsys name in the template must match the vsys name on the firewall.
Allow Forwarding of Decrypted Content
Select this option to allow the virtual system to forward decrypted content to an outside service when port mirroring or sending WildFire files for analysis. See also Decryption Port Mirroring.
Select a DNS Proxy object if you want to apply DNS proxy rules to this vsys. (Network > DNS Proxy).
To include objects of a particular type, select that type (interface, VLAN, virtual wire, virtual router, or visible virtual system), Add an object, and select the object from the drop-down. You can add one or more objects of any type. To remove an object, select and Delete it.
Specify the resource limits allowed for this vsys:
CLI Cheat Sheet: VSYS
CLI Cheat Sheet: VSYS Use the following commands to administer a Palo Alto Networks firewall with multiple virtual system (multi-vsys) capability. You must have superuser, ...
Configure Virtual Systems
Configure Virtual Systems Creating a virtual system requires that you have the following: A superuser administrative role. An interface configured. A Virtual Systems license if ...
CLI Jump Start
Use this quick reference to see the most common commands you will need to being managing your next-gen firewall using the command-line interface (CLI). ...
Move or Clone a Policy Rule or Object to a Different Virtual System
Move or Clone a Policy Rule or Object to a Different Virtual System On a firewall that has more than one virtual system (vsys), you ...
Configure QoS for a Virtual System
Configure QoS for a Virtual System QoS can be configured for a single or several virtual systems configured on a Palo Alto Networks firewall. Because ...
Known Issues Specific to PAN-OS 9.0.1
Review the known issues specific to the PAN-OS 9.0.1 release. ...
Known Issues Specific to PAN-OS 9.0.2
Review the known issues specific to the PAN-OS 9.0.2 release. ...
Multi-Context Deployments Cisco ACI integration supports physical firewalls divided into contexts that are managed by ACI as individual firewalls. On the firewall, these contexts are ...