When you enable Multi Virtual System Capability,
any virtual system that does not have specific service routes configured
inherits the global service and service route settings for the firewall.
You can instead configure a virtual system to use a different service
route, as described in the following workflow.
A firewall
with multiple virtual systems must have interfaces and subinterfaces
with non-overlapping IP addresses. A per-virtual system service
route for SNMP traps or for Kerberos is for IPv4 only.
The
service route for a service strictly follows how you configured
the server profile for the service:
- If you define a server
profile () for the Shared location, the
firewall uses the global service route for that service.
- If you define a server profile for a specific virtual system,
the firewall uses the virtual system-specific service route for
that service.
- If you define a server profile for a specific virtual system
but the virtual system-specific service route for that service is
not configured, the firewall uses the global service route for that service.
The
firewall supports syslog forwarding on a virtual system basis. When
multiple virtual systems on a firewall are connecting to a syslog
server using SSL transport, the firewall can generate only one certificate
for secure communication. The firewall does not support each virtual
system having its own certificate.