02-02-2012 06:03 AM
Its pretty straight forward...
Check page 77 and onwards in https://support.paloaltonetworks.com/index.php?option=com_pan&task=dl_tech_doc&filename=PA-4.1_Admin...
To define virtual systems, you must first enable the definition of multiple virtual systems. To do so, open the Device > Setup page, click the Edit link under General Settings in the Management tab, and select the Multi Virtual System Capability check box. This adds a Virtual Systems link to the side menu. I think you need to reboot aswell.
You can now open the Virtual Systems page, click Add, and specify the information you wish for each VSYS.
After you have created your VSYS you might want to define which physical interface will belong to which VSYS. If you use each VSYS with L3 you will also need to setup Virtual Routers (click in the network menu) and bind each Virtual router to each interface (or if it was each vsys). The Virtual router is the routingtable used (if you are used with Cisco you can think of VRF).
Then when you create objects or rules you can switch between the VSYS in a dropdown box at top. When creating objects you can choose to either place them in just a singel VSYS (by selecting which VSYS) or by placing them in "Shared". Stuff placed in shared is available for all VSYS. Lets say you create a group of DNS-servers:
object: ns1, 10.0.0.1 (shared)
object: ns2, 10.0.0.2 (shared)
group: NS-servers: ns1, ns2 (shared)
02-02-2012 08:06 AM
Thanks Mikand. Really appreciate your reply. Can i assign sub-interface to a vsys also. And can I have an interface say Eth0/1 ,can i assign it to vsys and then make subinterfaces inside the vsys for this interface.(Eth0/1.1, Eth0/0.2 and so on). or I have to create first create subnterfaces and hen assign it to vsys?
How does the vsys communicate to each other? say i have 2 vsys ---vsys1 and vsys2 . How will they communicate? Please advice.
02-02-2012 10:06 AM
Did you read the pages I recommended you in the pdf?
Page 78 describes inter-vsys communications (if you want this).
One can also use shared gateway (described at page 79) for some situations.
So if you want vsys0 to communicate with vsys1 you have basically three options (unless I missed something):
1) vsys0 (ethX) -> (int0/1) L2/L3-switch/router (int0/2) -> vsys1 (ethY)
This way your vsys wont touch each other inside your PAN.
2) vsys0 (zoneX) -> vsys1 (zoneY)
This way the traffic never leaves the box and is routed internally instead. Im not sure if you can perform tcpdump in this mode (as with 1 above where you can just span the interface you want on the L2/L3-switch/router to record traffic). Another downside with internal routing is if you (in case of emergency) must cut the connection for a certain vsys. If you use physical interfaces you can just disconnect the cables - otherwise you need to login to the device and shutdown the interfaces and then commit.
3) vsys0 (ethX) -> shared gateway (internally in PAN) -> vsys1 (ethY)
This is like a combo between 1 and 2 above. Shared gateway (as described in page 79) is when you for example only have a single cable (or single ip) from the uplinkprovider.
I dont remember in which order you can assign the subinterfaces but I think you first create the VSYS and then when you setup interfaces you choose which vsys and vrouter it belongs to. In my case the setup was really easy (something like): VSYS0 (eth0-3), VSYS1 (eth4-7), VSYS2 (eth8-11). This way I could use the 10G interfaces for uplink and downlink and then bond 2x1G to the DMZ-switches.
So PAN1 had (for each VSYS):
10G: Uplink (internetrouter1)
2x1G: DMZ (switch1, LACP)
10G: Downlink (corerouter1)
and PAN2 had:
10G: Uplink (internetrouter2)
2x1G: DMZ (switch2, LACP)
10G: Downlink (corerouter2)
and then a couple of cables (in LACP) between each DMZ-switch1 and DMZ-switch2 (in total 2 DMZ-switches per VSYS just to get physical separation).
Oh and in my case only 2 of the VSYS had 10G links while the 3rd had to use "only" 1G for uplink/downlink.
But this is up to you how you wish to construct/design this regarding how much of separation you wish between the different DMZ's for the different VSYS.
Another design would be if you use 2x10G bonded for downlink and connect that internally to a shared gateway. And do the same for uplink (but to another internal shared gateway). And then hook each interface for each VSYS to each shared gateway. And finally use the rest of the 1G interfaces as a large LACP bond to DMZ (and then use VLANs to separate them). But I dunno if this will actually work 🙂
Like so:
Shared gateway Internet: LACP(eth10G_0, eth10G_1)
Shared gateway Core: LACP(eth10G_2, eth10G_3)
Shared gateway DMZ: LACP(eth1G_4, eth1G_5,eth1G_6,eth1G_7,eth1G_8,eth1G_9,eth1G_10,eth1G_11)
VSYS0:
int_Internet: Shared gateway Internet
int_Core: Shared gateway Core
int_DMZ: Shared gateway DMZ
VSYS1:
int_Internet: Shared gateway Internet
int_Core: Shared gateway Core
int_DMZ: Shared gateway DMZ
VSYS2:
int_Internet: Shared gateway Internet
int_Core: Shared gateway Core
int_DMZ: Shared gateway DMZ
DMZ-switch1:
DMZ_PAN1: LACP(int0/1-7)
DMZ_switch2: LACP(int0/8-15)
DMZ-switch2:
DMZ_PAN2: LACP(int0/1-7)
DMZ_switch1: LACP(int0/8-15)
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
