Use the following commands to administer a Palo Alto
Networks firewall with multiple virtual system (multi-vsys)
capability. You must have superuser, superuser (read-only), device
administrator, or device administrator (read-only) access to use
these commands. These commands are not available for virtual system
administrator or virtual system administrator (read-only) roles.
If you want to .
Use . . .
Find out if the firewall is in multi-vsys mode
show system info | match vsys
View a list of virtual systems configured
on the firewall
After adding a new virtual system
from the CLI, you must log out and log back in to see the new virtual
system within the CLI.
set system setting target-vsys ?
Switch to a particular vsys so that
you can issue commands and view data specific to that vsys
set system setting target-vsys
example, use the following command to switch to vsys2; note that
the vsys name is case sensitive:
set system setting target-vsys vsys2
Session target vsys changed to vsys2
Notice that the command prompt now shows
the name of the vsys you are now administering.
View the maximum number of sessions allowed,
in use, and throttled
show session meter
VSYS Maximum Current Throttled
1 10 30 1587
indicates the maximum number of sessions allowed per dataplane,
Current indicates the number of sessions being used by the virtual
system, and Throttled indicates the number of sessions denied for
the virtual system because the sessions exceeded the Maximum number
multiplied by the number of dataplanes in the system.
shown in this example, on a PA-5200 Series or PA-7000 Series firewall,
the Current number of sessions being used can be greater than the Maximum
configured for Sessions Limit (Device > Virtual Systems > Resource)
because there are multiple dataplanes per virtual system. The Sessions Limit
you configure on a PA-5200 or PA-7000 Series firewall is per dataplane,
and will result in a higher maximum per virtual system.