03-16-2023 05:20 AM
Hi @tinhnho ,
Please check out this multi vsys overview where you will find benefits and use cases:
Kind regards,
-Kiwi.
03-16-2023 10:22 AM
Hi @tinhnho ,
The PA-5260 supports 25 base virtual systems. The PA-3220 supports 1. https://www.paloaltonetworks.com/products/product-comparison?chosen=pa-5260,pa-3220
First, you would need to purchase a vsys license for the PA-3220. Second, you would create a new virtual system. Third, you will create separate administrator roles for each virtual system. Then, your customers can configure their vsys just like a regular NGFW. Vsys1 can continue to be one of those virtual systems. I think you will need to assign interfaces to each vsys before the customers can use them. It has been a while. You could go with separate physical interfaces or use trunk ports and assign different sub-interfaces to each customer.
Thanks,
Tom
03-16-2023 10:23 AM
If each customer manages their firewall themselves then yes you need to use vsys to avoid admin of one customer to see config of other customer.
If you manage it all and customers don't have access to firewall then vsys config adds complexity.
03-16-2023 05:20 AM
Hi @tinhnho ,
Please check out this multi vsys overview where you will find benefits and use cases:
Kind regards,
-Kiwi.
03-16-2023 08:03 AM
Hello,
Basically a way to logically segment the firewall for different uses/customers, etc.
Regards,
03-16-2023 09:33 AM
Hi @tinhnho
Normally vsys is used for Service Providers which needs to split (share) a big firewall appliance in small pieces attaching different interfaces, virtual routers, administrators, objects and so on.
Hope it was helpful.
Cheers,
Urik
03-16-2023 10:06 AM
Thanks. If I have 2 firewalls, 5260 and 3220, for 2 customers (each customer has 2-5 staff) and they aren't busy at all, can I segment these 2 firewalls? What steps do we need to segment a firewall into a smaller logical firewall if we can?
03-16-2023 10:22 AM
Hi @tinhnho ,
The PA-5260 supports 25 base virtual systems. The PA-3220 supports 1. https://www.paloaltonetworks.com/products/product-comparison?chosen=pa-5260,pa-3220
First, you would need to purchase a vsys license for the PA-3220. Second, you would create a new virtual system. Third, you will create separate administrator roles for each virtual system. Then, your customers can configure their vsys just like a regular NGFW. Vsys1 can continue to be one of those virtual systems. I think you will need to assign interfaces to each vsys before the customers can use them. It has been a while. You could go with separate physical interfaces or use trunk ports and assign different sub-interfaces to each customer.
Thanks,
Tom
03-16-2023 10:23 AM
If each customer manages their firewall themselves then yes you need to use vsys to avoid admin of one customer to see config of other customer.
If you manage it all and customers don't have access to firewall then vsys config adds complexity.
03-16-2023 11:45 AM
Thanks guys, I'll be getting license for vsys
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
