...What are the advantages of using Virtual Systems, other than being able to divide Management and Reporting of "Virtual" firewalls. In my case, I have a DMZ, Wireless, Trust and Untrust networks connected to a PA 5020. Should I split up the DMZ and Wireless networks into their own Virtual Systems?
Something like this...
eth1/1 - Untrust(internet). No Zone. Shared Gateway to Internet.
eth1/2 - Trust(Internal Network). No Zone. Shared Gateway to Inside.
eth1/3 - DMZ Zone. DMZ Virtual System.
eth1/4 - Wireless Zone. Wireless Virtual System.
It will completely depend on your requirement. In your case it would be efficient if you just separate your network with zones and not with virtual systems. Out of many advantages, one of the major advantage of virtual system if for service providers, who would have separate virtual systems for different customers. If you just want different zones, I would suggest you to manage it within single vsys. Thanks
When using VSYS you will still use a single management for them all (but the logs will use the hostname of each VSYS).
The difference are in the GUI and how the dataplane will function.
In the GUI you will select which VSYS you operate on and by that you only see the security policies defined for this VSYS (which can be handy, instead of having lets say 1500 rules you can with 3x VSYS have 500 each as example).
VSYS can be seen as VDC in the (cisco)router-world. That is you can have two interfaces with the same ip but they have different routingtables and are part of two different physical networks (actually that is called VROUTER in PA regarding different routingtables which can be seen as VRF in the router-world). In most cases you can achieve the same things with or without VSYS so in reality VSYS are more for getting a logic segmentation for the administrators rather than a physical segmentation (it will be easier to think for the admin if you use VSYS rather than trying to setup the same thing in a single VSYS).
VSYS can also help you in case (as already mentioned) have different people which should be able to configure different stuff.
Lets say you have on the inside a SERVERFW and a BACKUPFW where the backuppeople should be able to take care of their own rules. Without VSYS the backup people will be able to see (and maybe also alter) all the rules in the firewall. With VSYS you can setup roles so that backup people can only alter security policies of BACKUPFW while the other firewall admins will be able to alter rules in both "devices".
Another setup where VSYS is handy is when you will consolidate different physical hardware into a single PA cluster (given that you are allowed to use a single hardware for this - there are cases where you must or should use different physical gear). The first transition can be to just keep the current setup and use VSYS (one VSYS per device you replace with the PA cluster). The second transition will be to clean up rules along with make a revision if the physical design can be optimized further.
Hopefully in future the VSYS's will be able to do QoS on VSYS level (that is in an overload situation VSYS1 should for example be favorized over VSYS2, or for that matter define a static resource limit for VSYS1 so even if VSYS1 is getting DDoSed (or such) VSYS2 will have resouces on its own to play with).
With regards to the document there is no exact such document that explains the advantages/disadvantages. In the document below the first few pages might be little bit helpful for you as they talk briefly about deployment scenarios and efficiencies of the virtual system.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!