What is the advantage of having Virtual system(vsys) over VR's

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

What is the advantage of having Virtual system(vsys) over VR's

L3 Networker

We have Virtual routers and Virtual systems in palo.

Can anyone help me understand, what is the real advantage of having Vsys over VR's.

(or)

What can be acheived by Vsys that cannot be done via VR's?

 

 

1 accepted solution

Accepted Solutions

Cyber Elite
Cyber Elite

@SuryaR,

VSYS can come in handy in certain situations where you really should have multiple different firewalls, however for budgetary reasons only one is available. 

A good example of this is in County Courthouse buildings. I generally had three different VSYS running on those boxes. One for the Sheriff office connecting through the BCA network; one for the DOJ connections for the actual judicial folks; and one for the rest of the County employees that simply hopped onto the state network. Instead of having three different firewalls in the rack, I could deploy a single firewall with multiple different VSYS and meet all regulatory requirements of sperating out the traffic. 

View solution in original post

6 REPLIES 6

Cyber Elite
Cyber Elite

Hello,

So a VR is just part of a Vsys that handles the routing.

 

https://live.paloaltonetworks.com/t5/Configuration-Articles/Routing-in-Multi-VSYS-scenario/tac-p/652...

 

That link may help out.

 

Regards,

a vsys helps to completely segragate 2 (or more) firewall instances to the point where they cannot see or participate in eachother's sessions

having several VR in the same vsys (a firewall is always at least 1 vsys) will simply separate routing paths but the firewal instance will be aware of all sessions

 

this can be very important if you're a hosted services provider and have several customers share one physical chassis, or if you need to segregate a perimeter from a core instance

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

L7 Applicator

I find it helpful to think about it this way:

 

1 administrator but multiple routing tables = multiple-VR

2+ administrators with multiple routing tables = multi-vsys+multi-VR

 

Essentially, you bring multiple vsys into the mix when you want to separate the administrative domains... one admin for one VR, and a different admin for another VR, etc.  

 

It's an over-simplification, but that's usually a good place to start.  

Cyber Elite
Cyber Elite

@SuryaR,

VSYS can come in handy in certain situations where you really should have multiple different firewalls, however for budgetary reasons only one is available. 

A good example of this is in County Courthouse buildings. I generally had three different VSYS running on those boxes. One for the Sheriff office connecting through the BCA network; one for the DOJ connections for the actual judicial folks; and one for the rest of the County employees that simply hopped onto the state network. Instead of having three different firewalls in the rack, I could deploy a single firewall with multiple different VSYS and meet all regulatory requirements of sperating out the traffic. 

L3 Networker

Thank you all for responses. 

Another reason for vsys instead of only routing separation is when you have multiple customers obviously with multiple domains. With vsys you're able to completely separate the user-id part. So you don't have all user-to-ip-mappings in one big table. Also the logging or specially the reporting part gets easier in this situation. It's also possible to customize response pages per vsys ... and many many more.

But in general it's like @BPry wrote. The advantage of having multiple virtual firewalls instead of multiple physical devices.

  • 1 accepted solution
  • 12905 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!