Virtual systems are multiple, logical firewall instances within a single Palo Alto Networks physical firewall. Each virtual system is an independent, separately managed logical firewall with its traffic kept separate from that of others. Virtual systems are supported for PA-3000 Series, PA-5000 Series and PA-7000 Series firewalls, the number varying by product and dependent upon licensing.

A use case requirement that can drive the use of virtual systems is multitenancy. A typical, corresponding deployment scenario is two physical firewalls for high availability, configured as virtual systems for use by tenants. Advantages of using virtual systems include efficiency, based on physical consolidation, and agility, since virtual systems can be created quickly.

Managing Virtual Systems

Administrators can exist at multiple levels in the system. In particular, administrators whose control is limited to one or more virtual systems can be assigned. This ability to support multilevel administrative domains is especially useful for managed security service providers (MSSPs) and any organization that needs to maintain separation of concerns among many firewall instances.

To manage the use of overall physical firewall resources, limits can be assigned per virtual system (e.g., maximum sessions, maximum number of security rules).

Traffic Flow and Virtual Systems

Traffic can be directed to virtual systems based on virtual wire configuration or VLAN for Layer 2 and Layer 3 deployments. Software elements called virtual routers – part of PAN-OS® running on the physical firewall – control how traffic flows in, out, and between virtual systems.

Inter-virtual system traffic can be controlled by policy, subject to the firewall policies of the virtual systems involved. This allows for use cases like network segmentation, with firewall protections available for allowed network traffic between virtual system-defined segments.