Virtual systems are separate, logical firewall instances within a single physical Palo Alto Networks firewall. Rather than using multiple firewalls, managed service providers and enterprises can use a single pair of firewalls (for high availability) and enable virtual systems on them. Each virtual system (vsys) is an independent, separately managed firewall with its traffic kept separate from the traffic of other virtual systems.
Sounds like a magical solution, doesn't it?
A popular use case for vsys is for example if you are a managed security service provider (MSSP) and would like to deliver services to multiple customers with a single firewall. You can configure each of your customers on their own vsys and it would be as if each customer has his own firewall.
Another common use case is within a large enterprise that requires different firewall instances because of different technical or confidentiality requirements among multiple departments.
Note, however, that multiple virtual systems are NOT supported on some platforms PA-220, PA-410, PA-415, PA-800 Series, or VM-Series firewalls.
Also note that a VSYS license is required if you are configuring multiple vsys on a PA-3200 Series firewall, or if you are creating more than the base number of virtual systems supported on the platform. If you are not sure how many base vsys your platform has or what the maximum number of vsys your platform supports, then you can compare each model on our product comparison page:
Configuring and enabling a VSYS isn't that complicated. In fact, you can follow the detailed steps here: TechDocs: Configure VSYS
I do want to point your attention to the optional Step 5 in this process. While it does say that the step is optional, I strongly recommend that you do it.
This particular step allows you to limit the resource allocations for sessions, policies, and VPN tunnels allowed for the virtual system, as seen in the illustration below.
By ignoring this step, the vsys will fall back to using the hardware limits, which are different for each platform. As a result, you could have one particular virtual system hogging all the device resources, leaving you with some very upset customers that are configured on the remaining vsys.
Virtual systems can be configured quickly and easily, but can cause frustration if not done properly. This flexibility of being able to allocate limits per virtual system allows you to effectively control firewall resources.
Make sure to check out our admin guide on virtual systems where you can read up on their benefits, typical use cases, and how to configure them in more detail. You can also read up on how they function with other features like High-Availability or QoS here: Virtual Systems Admin Guide.
Share your experience on how you set up your vsys!