bykiwi08-30-201706:45 AM - edited 09-12-201701:58 PM
So what are VSYS exactly?
Virtual systems are separate, logical firewall instances within a single physical Palo Alto Networks firewall. Rather than using multiple firewalls, managed service providers and enterprises can use a single pair of firewalls (for high availability) and enable virtual systems on them. Each virtual system (vsys) is an independent, separately managed firewall with its traffic kept separate from the traffic of other virtual systems.
Sounds like a magical solution, doesn't it?
A popular use case for VSYS -- let's say you are a managed security service provider (MSSP) and would like to deliver services to multiple customers with a single firewall.
Another common use case is within a large enterprise that requires different firewall instances because of different technical or confidentiality requirements among multiple departments.
Note, however, that multiple virtual systems are NOT supported on some platforms PA-200, PA-220, PA-500, PA-800 Series, or VM-Series firewalls.
Also note that a VSYS license is required if you are configuring a PA-3000 Series firewall, or if you are creating more than the base number of virtual systems supported on the platform. If you are not sure how many base VSYS your platform has or what the maximum number of VSYS your platform supports, then you can compare each model on our product comparison page:
I do want to point your attention to the optional Step 4 in this process. While it does say that the step is optional, I strongly recommend that you do it.
Step 4 of the configuration process allows you to limit the resource allocations for sessions, rules, and VPN tunnels allowed for the virtual system, as seen in the illustration below.
Virtual System Limits
By ignoring this step, the VSYS will fall back to using the hardware limits, which are different for each platform. As a result, you could have one particular virtual system hogging all the device resources, leaving you with some very upset customers that are configured on the remaining VSYS.
Virtual systems can be configured quickly and easily, but can cause some frustration if not done properly.
Seeing that this question on virtual system resources popped up on the discussion board, I hope I have clarified how you can safely configure some limitations per VSYS. This flexibility of being able to allocate limits per virtual system allows you to effectively control firewall resources.
Make sure to check out our admin guide on virtual systems where you can read up on their benefits, typical use cases, and how to configure them. You can also read up on how they function with other features like HA or QoS.