https://live.paloaltonetworks.com/t5/general-topics/overlap-zone-difference-vsys/m-p/261540#M74148 <P>"Just because you can do something doesn't mean you should"</P><P>&nbsp;</P><P>Having managed a multi-vSYS environment, I can definitely recommend you NOT do this.&nbsp; You can because the vSYS are considered completely separate systems.&nbsp; But to keep things straight in your own head, I would recommend defining your zones with meaningful and specific names.&nbsp; This means you will most likely have different zone names in each vSYS naturally.&nbsp; Thoughts?</P> Fri, 17 May 2019 20:00:53 GMT jeremy.larsen 2019-05-17T20:00:53Z https://live.paloaltonetworks.com/t5/general-topics/overlap-zone-difference-vsys/m-p/261441#M74124 <P>HI Expert ,</P><P>&nbsp;</P><P>I would like to know that it can be possible about overlap zone name but&nbsp;difference Vsys such as I would to defind name Zone "Trust" on vsys1 and would to zone name "Trust" on vsys2 as well</P><P>&nbsp;</P><P>Please&nbsp; suggest to me&nbsp;</P><P>&nbsp;</P><P>Thank you&nbsp;</P> Fri, 17 May 2019 07:11:24 GMT https://live.paloaltonetworks.com/t5/general-topics/overlap-zone-difference-vsys/m-p/261441#M74124 Pattarachai 2019-05-17T07:11:24Z https://live.paloaltonetworks.com/t5/general-topics/overlap-zone-difference-vsys/m-p/261464#M74126 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/81046">@Pattarachai</a> ,</P> <P>&nbsp;</P> <P>Yes you can use the same zone names in different vsys.</P> <P>&nbsp;</P> <P>Cheers !</P> <P>-Kiwi.</P> <DIV id="ConnectiveDocSignExtentionInstalled" data-extension-version="1.0.4">&nbsp;</DIV> Fri, 17 May 2019 08:35:18 GMT https://live.paloaltonetworks.com/t5/general-topics/overlap-zone-difference-vsys/m-p/261464#M74126 kiwi 2019-05-17T08:35:18Z https://live.paloaltonetworks.com/t5/general-topics/overlap-zone-difference-vsys/m-p/261540#M74148 <P>"Just because you can do something doesn't mean you should"</P><P>&nbsp;</P><P>Having managed a multi-vSYS environment, I can definitely recommend you NOT do this.&nbsp; You can because the vSYS are considered completely separate systems.&nbsp; But to keep things straight in your own head, I would recommend defining your zones with meaningful and specific names.&nbsp; This means you will most likely have different zone names in each vSYS naturally.&nbsp; Thoughts?</P> Fri, 17 May 2019 20:00:53 GMT https://live.paloaltonetworks.com/t5/general-topics/overlap-zone-difference-vsys/m-p/261540#M74148 jeremy.larsen 2019-05-17T20:00:53Z https://live.paloaltonetworks.com/t5/general-topics/overlap-zone-difference-vsys/m-p/261551#M74151 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/107910">@jeremy.larsen</a>,</P><P>Depends on why you are using multi-vsys to begin with. In certain instances where I utilize multi-vsys in local government buildings to seperate out say Law Enforcement from the rest of the County I wouldn't necissarly say that a zone named "County Untrust" or "LEA Untrust" would really make that big of an difference over just "untrust". It might matter slightly more if you configure in the GUI instead of the XML or CLI, but you do have the dropdown up top specifying what VSYS you are on currently.</P><P>&nbsp;</P><P>It's also something that I've done on purpose when I template the XML file for utilization in Jinja2 for shared security policies where I might only want to make an "Internet Access" policy once or a similar shared policy that I would otherwise have to create in both security rulebases manually. Granted this is an extreme edge-case and something most people would never think of even doing, but reasons to utilize shared zone names do exist.&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Fri, 17 May 2019 21:18:07 GMT https://live.paloaltonetworks.com/t5/general-topics/overlap-zone-difference-vsys/m-p/261551#M74151 BPry 2019-05-17T21:18:07Z