01-09-2018 02:11 PM
We have Virtual routers and Virtual systems in palo.
Can anyone help me understand, what is the real advantage of having Vsys over VR's.
(or)
What can be acheived by Vsys that cannot be done via VR's?
01-10-2018 09:52 AM
VSYS can come in handy in certain situations where you really should have multiple different firewalls, however for budgetary reasons only one is available.
A good example of this is in County Courthouse buildings. I generally had three different VSYS running on those boxes. One for the Sheriff office connecting through the BCA network; one for the DOJ connections for the actual judicial folks; and one for the rest of the County employees that simply hopped onto the state network. Instead of having three different firewalls in the rack, I could deploy a single firewall with multiple different VSYS and meet all regulatory requirements of sperating out the traffic.
01-09-2018 02:37 PM
Hello,
So a VR is just part of a Vsys that handles the routing.
That link may help out.
Regards,
01-10-2018 12:33 AM
a vsys helps to completely segragate 2 (or more) firewall instances to the point where they cannot see or participate in eachother's sessions
having several VR in the same vsys (a firewall is always at least 1 vsys) will simply separate routing paths but the firewal instance will be aware of all sessions
this can be very important if you're a hosted services provider and have several customers share one physical chassis, or if you need to segregate a perimeter from a core instance
01-10-2018 09:41 AM
I find it helpful to think about it this way:
1 administrator but multiple routing tables = multiple-VR
2+ administrators with multiple routing tables = multi-vsys+multi-VR
Essentially, you bring multiple vsys into the mix when you want to separate the administrative domains... one admin for one VR, and a different admin for another VR, etc.
It's an over-simplification, but that's usually a good place to start.
01-10-2018 09:52 AM
VSYS can come in handy in certain situations where you really should have multiple different firewalls, however for budgetary reasons only one is available.
A good example of this is in County Courthouse buildings. I generally had three different VSYS running on those boxes. One for the Sheriff office connecting through the BCA network; one for the DOJ connections for the actual judicial folks; and one for the rest of the County employees that simply hopped onto the state network. Instead of having three different firewalls in the rack, I could deploy a single firewall with multiple different VSYS and meet all regulatory requirements of sperating out the traffic.
01-10-2018 12:03 PM
Thank you all for responses.
01-13-2018 02:17 PM
Another reason for vsys instead of only routing separation is when you have multiple customers obviously with multiple domains. With vsys you're able to completely separate the user-id part. So you don't have all user-to-ip-mappings in one big table. Also the logging or specially the reporting part gets easier in this situation. It's also possible to customize response pages per vsys ... and many many more.
But in general it's like @BPry wrote. The advantage of having multiple virtual firewalls instead of multiple physical devices.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
