What is multi-vsys firewalls?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Palo Alto Networks Approved
Palo Alto Networks Approved
Community Expert Verified
Community Expert Verified

What is multi-vsys firewalls?

L2 Linker

Hi guys,

 

What is multi-vsys firewalls?

Why do we need multi-vsys firewalls?

What are cons and pros of using multi-vsys firewalls?

Could I get some cases that needs multi-vsys firewalls?

 

AS of now, my panorama has default vsys is vsys1 for the templates.

 

Thanks.

3 accepted solutions

Accepted Solutions

Community Team Member

Hi @tinhnho ,

 

Please check out this multi vsys overview where you will find benefits and use cases:

Virtual Systems Overview 

 

Kind regards,

-Kiwi.

LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

View solution in original post

Cyber Elite
Cyber Elite

Hi @tinhnho ,

 

The PA-5260 supports 25 base virtual systems.  The PA-3220 supports 1.  https://www.paloaltonetworks.com/products/product-comparison?chosen=pa-5260,pa-3220

 

First, you would need to purchase a vsys license for the PA-3220.  Second, you would create a new virtual system.  Third, you will create separate administrator roles for each virtual system.  Then, your customers can configure their vsys just like a regular NGFW.  Vsys1 can continue to be one of those virtual systems.  I think you will need to assign interfaces to each vsys before the customers can use them.  It has been a while.  You could go with separate physical interfaces or use trunk ports and assign different sub-interfaces to each customer.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

View solution in original post

Cyber Elite
Cyber Elite

If each customer manages their firewall themselves then yes you need to use vsys to avoid admin of one customer to see config of other customer.

If you manage it all and customers don't have access to firewall then vsys config adds complexity.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

View solution in original post

8 REPLIES 8

Community Team Member

Hi @tinhnho ,

 

Please check out this multi vsys overview where you will find benefits and use cases:

Virtual Systems Overview 

 

Kind regards,

-Kiwi.

LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

Cyber Elite
Cyber Elite

Hello,

Basically a way to logically segment the firewall for different uses/customers, etc.

Regards,

L0 Member

Hi @tinhnho 

 

Normally vsys is used for Service Providers which needs to split (share) a big firewall appliance in small pieces attaching different interfaces, virtual routers, administrators, objects and so on.

 

Hope it was helpful.

 

Cheers,

Urik

 

 

PCNSC, PCNSE, PCNSA, PSE: Pro and more

Thanks. If I have 2  firewalls, 5260 and 3220, for 2 customers (each customer has 2-5 staff) and they aren't busy at all, can I segment these 2 firewalls? What steps do we need to segment a firewall into a smaller logical firewall if we can?

Cyber Elite
Cyber Elite

Hi @tinhnho ,

 

The PA-5260 supports 25 base virtual systems.  The PA-3220 supports 1.  https://www.paloaltonetworks.com/products/product-comparison?chosen=pa-5260,pa-3220

 

First, you would need to purchase a vsys license for the PA-3220.  Second, you would create a new virtual system.  Third, you will create separate administrator roles for each virtual system.  Then, your customers can configure their vsys just like a regular NGFW.  Vsys1 can continue to be one of those virtual systems.  I think you will need to assign interfaces to each vsys before the customers can use them.  It has been a while.  You could go with separate physical interfaces or use trunk ports and assign different sub-interfaces to each customer.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

Cyber Elite
Cyber Elite

If each customer manages their firewall themselves then yes you need to use vsys to avoid admin of one customer to see config of other customer.

If you manage it all and customers don't have access to firewall then vsys config adds complexity.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

L2 Linker

Thanks guys, I'll be getting license for vsys

L0 Member

Multi-vsys firewalls, also known as virtual systems, are separate, logical firewall instances within a single physical firewall device. This technology allows managed service providers and enterprises to use a single pair of firewalls (for high availability) and enable multiple virtual systems on them. ProCADIS software promotions. Each virtual system (vsys) is an independent, separately-managed firewall with its traffic kept separate from the traffic of other virtual systems

  • 3 accepted solutions
  • 7177 Views
  • 8 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!