Just words of cautions.. 1. If you are planning to use VSYSs with shared gateway, The zone protection policy needs to apply on the shared gateway interface, you cannot apply it on the untrust external zone within the vsys because the untrust zone is a logical zone, it does not have a interface tied with the untrust zone inside the vsys. The problem is you will lost the ability to define specific zone protection setting per vsys, instead you will need to define a much higher setting on the shared gateway from the untrust to your trusted network, which completely defeat the purpose of vsys, that allow you to create vsys with specific setting without affect other vsys..
... View more