Device > Virtual Systems
Table of Contents
Expand all | Collapse all
-
- Objects > Addresses
- Objects > Address Groups
- Objects > Regions
- Objects > Dynamic User Groups
- Objects > Application Groups
- Objects > Application Filters
- Objects > Services
- Objects > Service Groups
- Objects > Devices
- Objects > External Dynamic Lists
- Objects > Custom Objects > Spyware/Vulnerability
- Objects > Custom Objects > URL Category
- Objects > Security Profiles > Antivirus
- Objects > Security Profiles > Anti-Spyware Profile
- Objects > Security Profiles > Vulnerability Protection
- Objects > Security Profiles > File Blocking
- Objects > Security Profiles > WildFire Analysis
- Objects > Security Profiles > Data Filtering
- Objects > Security Profiles > DoS Protection
- Objects > Security Profiles > Mobile Network Protection
- Objects > Security Profiles > SCTP Protection
- Objects > Security Profile Groups
- Objects > Log Forwarding
- Objects > Authentication
- Objects > Decryption > Forwarding Profile
- Objects > Schedules
-
-
- Firewall Interfaces Overview
- Common Building Blocks for Firewall Interfaces
- Common Building Blocks for PA-7000 Series Firewall Interfaces
- Tap Interface
- HA Interface
- Virtual Wire Interface
- Virtual Wire Subinterface
- PA-7000 Series Layer 2 Interface
- PA-7000 Series Layer 2 Subinterface
- PA-7000 Series Layer 3 Interface
- Layer 3 Interface
- Layer 3 Subinterface
- Log Card Interface
- Log Card Subinterface
- Decrypt Mirror Interface
- Aggregate Ethernet (AE) Interface Group
- Aggregate Ethernet (AE) Interface
- Network > Interfaces > VLAN
- Network > Interfaces > Loopback
- Network > Interfaces > Tunnel
- Network > Interfaces > SD-WAN
- Network > VLANs
- Network > Virtual Wires
-
- Network > Network Profiles > GlobalProtect IPSec Crypto
- Network > Network Profiles > IPSec Crypto
- Network > Network Profiles > IKE Crypto
- Network > Network Profiles > Monitor
- Network > Network Profiles > Interface Mgmt
- Network > Network Profiles > QoS
- Network > Network Profiles > LLDP Profile
- Network > Network Profiles > SD-WAN Interface Profile
-
-
- Device > Setup
- Device > Setup > Management
- Device > Setup > Interfaces
- Device > Setup > Telemetry
- Device > Setup > Content-ID
- Device > Setup > WildFire
- Device > Setup > DLP
- Device > Log Forwarding Card
- Device > Config Audit
- Device > Administrators
- Device > Admin Roles
- Device > Access Domain
- Device > Authentication Sequence
- Device > Device Quarantine
-
- Security Policy Match
- QoS Policy Match
- Authentication Policy Match
- Decryption/SSL Policy Match
- NAT Policy Match
- Policy Based Forwarding Policy Match
- DoS Policy Match
- Routing
- Test Wildfire
- Threat Vault
- Ping
- Trace Route
- Log Collector Connectivity
- External Dynamic List
- Update Server
- Test Cloud Logging Service Status
- Test Cloud GP Service Status
- Device > Virtual Systems
- Device > Shared Gateways
- Device > Certificate Management
- Device > Certificate Management > Certificate Profile
- Device > Certificate Management > OCSP Responder
- Device > Certificate Management > SSL/TLS Service Profile
- Device > Certificate Management > SCEP
- Device > Certificate Management > SSL Decryption Exclusion
- Device > Certificate Management > SSH Service Profile
- Device > Response Pages
- Device > Server Profiles
- Device > Server Profiles > SNMP Trap
- Device > Server Profiles > Syslog
- Device > Server Profiles > Email
- Device > Server Profiles > HTTP
- Device > Server Profiles > NetFlow
- Device > Server Profiles > RADIUS
- Device > Server Profiles > TACACS+
- Device > Server Profiles > LDAP
- Device > Server Profiles > Kerberos
- Device > Server Profiles > SAML Identity Provider
- Device > Server Profiles > DNS
- Device > Server Profiles > Multi Factor Authentication
- Device > Local User Database > Users
- Device > Local User Database > User Groups
- Device > Scheduled Log Export
- Device > Software
- Device > Dynamic Updates
- Device > Licenses
- Device > Support
- Device > Policy Recommendation
-
- Network > GlobalProtect > MDM
- Network > GlobalProtect > Clientless Apps
- Network > GlobalProtect > Clientless App Groups
- Objects > GlobalProtect > HIP Profiles
-
- Use the Panorama Web Interface
- Context Switch
- Panorama Commit Operations
- Defining Policies on Panorama
- Log Storage Partitions for a Panorama Virtual Appliance in Legacy Mode
- Panorama > Setup > Interfaces
- Panorama > High Availability
- Panorama > Administrators
- Panorama > Admin Roles
- Panorama > Access Domains
- Panorama > Device Groups
- Panorama > Plugins
- Panorama > Log Ingestion Profile
- Panorama > Log Settings
- Panorama > Server Profiles > SCP
- Panorama > Scheduled Config Export
End-of-Life (EoL)
Device > Virtual Systems
A virtual system (vsys) is an independent (virtual)
firewall instance that you can separately manage within a physical
firewall. Each vsys can be an independent firewall with its own
Security policy, interfaces, and administrators; a vsys enables
you to segment the administration of all policies, reporting, and
visibility functions that the firewall provides.
For example, if you want to customize the security features for
the traffic that is associated with your Finance department, you
can define a Finance vsys and then define security policies that
pertain only to that department. To optimize policy administration,
you can maintain separate administrator accounts for overall firewall
and network functions while creating vsys administrator accounts
that allow access to an individual vsys. This allows the vsys administrator
in the Finance department to manage the Security policy for only
that department.
Networking functions (such as static and dynamic routing, IP
addresses of interfaces, and IPSec tunnels) pertain to an entire
firewall and all of its virtual systems. A virtual system configuration (DeviceVirtual Systems)
doesn’t control firewall-level and network-level functions (such
as static and dynamic routing, IP addresses of interfaces, IPSec
tunnels, VLANs, virtual wires, virtual routers, GRE tunnels, DHCP,
DNS Proxy, QoS, LLDP and network profiles). For each vsys, you can
specify a collection of physical and logical firewall interfaces
(including VLANs and virtual wires) and security zones. If you require
routing segmentation for each vsys, you must create and assign additional
virtual routers and assign interfaces, VLANs, and virtual wires
as needed.
If you use a Panorama template to define your virtual systems,
you can configure one vsys to be the default. The default vsys and
Multi Virtual System Capability determine whether a firewall accepts
vsys-specific configurations during a template commit:
- Firewalls that have Multi Virtual System Capability enabled accept vsys-specific configurations for any vsys that is defined in the template.
- Firewalls that don’t have Multi Virtual System Capability enabled accept vsys-specific configurations only for the default vsys. If you do not configure a default vsys, then these firewalls will not accept vsys-specific configurations.PA-3200 Series, PA-5200 Series, and PA-7000 Series firewalls support multiple virtual systems. However, PA-3200 Series firewalls require a license for enabling multiple virtual systems. The PA-220 and PA-800 Series firewalls do not support multiple virtual systems.
Before enabling multiple virtual systems, consider the following:
- A vsys administrator creates and manages all items needed for Security policy per assigned virtual system.
- Zones are objects within a vsys. Before defining a policy or policy object, select the appropriate Virtual System from the drop-down on the Policies or Objects tab.
- You can set remote logging destinations (SNMP, syslog, and email), applications, services, and profiles to be available to all virtual systems (shared) or to a single vsys.
- If you have multiple virtual systems, you can select a vsys as a User-ID hub to share the IP address-to-username mapping information between virtual systems.
- You can configure globally (to all virtual systems on a firewall) or vsys-specific service routes (Device > Setup > Services).
- You can rename a vsys only on the local firewall. On Panorama, renaming a vsys is not supported. If you rename a vsys on Panorama, the result is an entirely new vsys or the new vsys name gets mapped to the wrong vsys on the firewall.
Before defining a vsys, you must first enable the multi-vsys
functionality on the firewall. Select DeviceSetupManagement,
edit the General Settings, select Multi
Virtual System Capability, and click OK.
This adds a DeviceVirtual
Systems page. Select the page, Add a
vsys, and specify the following information.
Virtual System Settings | Description |
|---|---|
ID | Enter an integer identifier for the vsys.
Refer to the data sheet for your firewall
model for information on the number of supported virtual systems. If
you use a Panorama template to configure the vsys, this field does
not appear. |
Name | Enter a name (up to 31 characters) to identify
the vsys. The name is case-sensitive and must be unique. Use only
letters, numbers, spaces, hyphens, and underscores. If you use a Panorama template to push vsys configurations,
the vsys name in the template must match the vsys name on the firewall. |
Allow Forwarding of Decrypted Content | Select this option to allow the virtual
system to forward decrypted content to an outside service when port
mirroring or sending WildFire files for analysis. See also Decryption Port Mirroring. |
General Tab | Select a DNS Proxy object
if you want to apply DNS proxy rules to this vsys. (Network
> DNS Proxy). To include objects of a particular type,
select that type (interface, VLAN, virtual wire, virtual router,
or visible virtual system), Add an object,
and select the object from the drop-down. You can add one or more
objects of any type. To remove an object, select and Delete it. |
Resource Tab | Specify the following resource limits allowed
for this vsys. Each field displays the valid range of values, which
varies per firewall model. The default setting is 0, which means
the limit for the vsys is the limit for the firewall model. However,
the limit for a specific setting isn’t replicated for each vsys.
For example, if a firewall has four virtual systems, each virtual
system can’t have the total number of Decryption Rules allowed per
firewall. After the total number of Decryption Rules for all of
the virtual systems reaches the firewall limit, you cannot add more.
|