What is the advantage of having Virtual system(vsys) over VR's

Reply
Highlighted
L2 Linker

What is the advantage of having Virtual system(vsys) over VR's

We have Virtual routers and Virtual systems in palo.

Can anyone help me understand, what is the real advantage of having Vsys over VR's.

(or)

What can be acheived by Vsys that cannot be done via VR's?

 

 


Accepted Solutions
Highlighted
Cyber Elite

Re: What is the advantage of having Virtual system(vsys) over VR's

@SuryaR,

VSYS can come in handy in certain situations where you really should have multiple different firewalls, however for budgetary reasons only one is available. 

A good example of this is in County Courthouse buildings. I generally had three different VSYS running on those boxes. One for the Sheriff office connecting through the BCA network; one for the DOJ connections for the actual judicial folks; and one for the rest of the County employees that simply hopped onto the state network. Instead of having three different firewalls in the rack, I could deploy a single firewall with multiple different VSYS and meet all regulatory requirements of sperating out the traffic. 

View solution in original post


All Replies
Highlighted
Cyber Elite

Re: What is the advantage of having Virtual system(vsys) over VR's

Hello,

So a VR is just part of a Vsys that handles the routing.

 

https://live.paloaltonetworks.com/t5/Configuration-Articles/Routing-in-Multi-VSYS-scenario/tac-p/652...

 

That link may help out.

 

Regards,

Highlighted
L7 Applicator

Re: What is the advantage of having Virtual system(vsys) over VR's

a vsys helps to completely segragate 2 (or more) firewall instances to the point where they cannot see or participate in eachother's sessions

having several VR in the same vsys (a firewall is always at least 1 vsys) will simply separate routing paths but the firewal instance will be aware of all sessions

 

this can be very important if you're a hosted services provider and have several customers share one physical chassis, or if you need to segregate a perimeter from a core instance

reaper - PANgurus.com
I drink and I know things
Highlighted
L7 Applicator

Re: What is the advantage of having Virtual system(vsys) over VR's

I find it helpful to think about it this way:

 

1 administrator but multiple routing tables = multiple-VR

2+ administrators with multiple routing tables = multi-vsys+multi-VR

 

Essentially, you bring multiple vsys into the mix when you want to separate the administrative domains... one admin for one VR, and a different admin for another VR, etc.  

 

It's an over-simplification, but that's usually a good place to start.  

Highlighted
Cyber Elite

Re: What is the advantage of having Virtual system(vsys) over VR's

@SuryaR,

VSYS can come in handy in certain situations where you really should have multiple different firewalls, however for budgetary reasons only one is available. 

A good example of this is in County Courthouse buildings. I generally had three different VSYS running on those boxes. One for the Sheriff office connecting through the BCA network; one for the DOJ connections for the actual judicial folks; and one for the rest of the County employees that simply hopped onto the state network. Instead of having three different firewalls in the rack, I could deploy a single firewall with multiple different VSYS and meet all regulatory requirements of sperating out the traffic. 

View solution in original post

Highlighted
L2 Linker

Re: What is the advantage of having Virtual system(vsys) over VR's

Thank you all for responses. 

Highlighted
Cyber Elite

Re: What is the advantage of having Virtual system(vsys) over VR's

Another reason for vsys instead of only routing separation is when you have multiple customers obviously with multiple domains. With vsys you're able to completely separate the user-id part. So you don't have all user-to-ip-mappings in one big table. Also the logging or specially the reporting part gets easier in this situation. It's also possible to customize response pages per vsys ... and many many more.

But in general it's like @BPry wrote. The advantage of having multiple virtual firewalls instead of multiple physical devices.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!