Virtual Systems Communication

Communication Between Virtual Systems

There are two typical scenarios where communication between virtual systems (inter- vsys traffic) is desirable. In a multi-tenancy environment, communication between virtual systems can occur by having traffic leave the firewall, go through the Internet, and re-enter the firewall. In a single organization environment, communication between virtual systems can remain within the firewall. This section discusses both scenarios.

Inter-VSYS Traffic That Must Leave the Firewall

An ISP that has multiple customers on a firewall (known as multi-tenancy ) can use a virtual system for each customer, and thereby give each customer control over its virtual system configuration. The ISP grants vsysadmin permission to customers. Each customer’s traffic and management are isolated from the others. Each virtual system must be configured with its own IP address and one or more virtual routers in order to manage traffic and its own connection to the Internet.

If the virtual systems need to communicate with each other in a multi-tenancy setup managed by the ISP, that traffic typically goes out the firewall to another Layer 3 routing device (like the Internet) and back to the firewall, even though the virtual systems exist on the same physical firewall, as shown in the following figure.

Multi-Tenancy VSYS Communication Diagram

Diagram illustrating inter-VSYS traffic leaving the firewall (via Internet/External Router) and re-entering for communication between two VSYS in a multi-tenancy scenario.

Mermaid Diagram: Multi-Tenancy Inter-VSYS Traffic Flow

Simplified flow showing traffic leaving the firewall to communicate between VSYS A and VSYS B in a multi-tenancy setup.

Inter-VSYS Traffic That Remains Within the Firewall

Unlike the preceding multi-tenancy scenario, virtual systems on a firewall can be under the control of a single organization. The organization wants to both isolate traffic between virtual systems and allow communications between virtual systems. This common use case arises when the organization wants to provide departmental separation and still have the departments be able to communicate with each other or connect to the same network(s). In this scenario, the inter- vsys traffic remains within the firewall, as described in the following topics:

External Zone
External Zones and Security Policies For Traffic Within a Firewall
Inter-VSYS Communication Uses Two Sessions

This scenario is common in enterprise deployments where internal segmentation is needed using VSYS, but communication between segments is also required without exiting the physical firewall.

External Zone

The communication desired in the single-organization use case is achieved by configuring security policies that point to or from an external zone. An external zone is a security object that is associated with a specific virtual system that it can reach; the zone is external to the virtual system. A virtual system can have only one external zone, regardless of how many security zones the virtual system has within it. External zones are required to allow traffic between zones in different virtual systems, without the traffic leaving the firewall.

The virtual system administrator configures the security policies needed to allow traffic between two virtual systems. Unlike security zones, an external zone is not associated with an interface; it is associated with a virtual system. The security policy allows or denies traffic between the security (internal) zone and the external zone.

Because external zones do not have interfaces or IP addresses associated with them, some zone protection profiles are not supported on external zones.

Remember that each virtual system is a separate instance of a firewall, which means that each packet moving between virtual systems is inspected for security policy and App-ID evaluation.

Mermaid Diagram: External Zone Concept

graph LR subgraph "VSYS A" ZA[Zone A (Internal)] --> XA(External Zone A) end subgraph "VSYS B" XB(External Zone B) --> ZB[Zone B (Internal)] end XA -- Represents Reachability To --> VSYS_B[VSYS B] VSYS_B -- Receives Traffic From --> XB classDef zone fill:#add8e6,stroke:#333,stroke-width:1px; classDef externalZone fill:#ffb6c1,stroke:#333,stroke-width:1px; classDef vsys fill:#90ee90,stroke:#333,stroke-width:2px; class ZA,ZB zone; class XA,XB externalZone; class VSYS_B vsys;

Illustrating the concept of an External Zone as a representation of reachability to another VSYS, rather than an interface.

External Zones and Security Policies For Traffic Within a Firewall

In the following example, an enterprise has two separate administrative groups: the departmentA and departmentB virtual systems. The following figure shows the external zone associated with each virtual system, and traffic flowing from one trust zone, out an external zone, into an external zone of another virtual system, and into its trust zone.

Single Org Inter-VSYS Communication Diagram

Diagram illustrating inter-VSYS traffic staying within the firewall using external zones for communication between two VSYS in a single-organization scenario.

To create external zones, the firewall administrator must configure the virtual systems so that they are visible to each other. External zones do not have security policies between them because their virtual systems are visible to each other.

To communicate between virtual systems, the ingress and egress interfaces on the firewall are either assigned to a single virtual router or else they are connected using inter-virtual router static routes. The simpler of these two approaches is to assign all virtual systems that must communicate with each other to a single virtual router .

There might be a reason that the virtual systems need to have their own virtual router, for example, if the virtual systems use overlapping IP address ranges . Traffic can be routed between the virtual systems, but each virtual router must have static routes that point to the other virtual router(s) as the next hop.

Referring to the scenario in the figure above, we have an enterprise with two administrative groups: departmentA and departmentB . The departmentA group manages the local network and the DMZ resources. The departmentB group manages traffic in and out of the sales segment of the network. All traffic is on a local network, so a single virtual router is used. There are two external zones configured for communication between the two virtual systems. The departmentA virtual system has three zones used in security policies: deptA -DMZ, deptA -trust, and deptA -External. The departmentB virtual system also has three zones: deptB -DMZ, deptB -trust, and deptB -External. Both groups can control the traffic passing through their virtual systems.

In order to allow traffic from deptA -trust to deptB -trust, two security policies are required. In the following figure, the two vertical arrows indicate where the security policies (described below the figure) are controlling traffic.

Two Security Policies for VSYS Communication

Diagram showing traffic flow requiring two security policies for communication between VSYS A and VSYS B within the same firewall.

Security Policy 1 : In the preceding figure, traffic is destined for the deptB -trust zone. Traffic leaves the deptA -trust zone and goes to the deptA -External zone. A security policy must allow traffic from the source zone ( deptA -trust) to the destination zone ( deptA -External). A virtual system allows any policy type to be used for this traffic, including NAT.
- No policy is needed between external zones because traffic sent to an external zone appears in and has automatic access to the other external zones that are visible to the original external zone.
Security Policy 2 : In the preceding figure, the traffic from deptB -External is still destined to the deptB -trust zone, and a security policy must be configured to allow it. The policy must allow traffic from the source zone ( deptB -External) to the destination zone ( deptB -trust).

The departmentB virtual system could be configured to block traffic from the departmentA virtual system, and vice versa. Like traffic from any other zone, traffic from external zones must be explicitly allowed by policy to reach other zones in a virtual system.

In addition to external zones being required for inter-virtual system traffic that does not leave the firewall, external zones are also required if you configure a Shared Gateway , in which case the traffic is intended to leave the firewall.

Mermaid Diagram: Policies for Internal Inter-VSYS Traffic

graph TD A[Host in deptA-trust] --> B{VSYS A Security Policy 1}; B -->|Allow deptA-trust -> deptA-External| C[VSYS A External Zone (deptA-External)]; C -- Inter-VSYS Routing (Internal) --> D[VSYS B External Zone (deptB-External)]; D --> E{VSYS B Security Policy 2}; E -->|Allow deptB-External -> deptB-trust| F[Server in deptB-trust]; classDef zone fill:#add8e6,stroke:#333,stroke-width:1px; classDef externalZone fill:#ffb6c1,stroke:#333,stroke-width:1px; classDef policy fill:#ffe4b5,stroke:#333,stroke-width:1px; class A,F zone; class C,D externalZone; class B,E policy;

Flow illustrating the two security policies required for communication between deptA-trust (VSYS A) and deptB-trust (VSYS B) using external zones.

Inter-VSYS Communication Uses Two Sessions

It is helpful to understand that communication between two virtual systems uses two sessions, unlike the one session used for a single virtual system. Let’s compare the scenarios.

Scenario 1 (Intra-VSYS) —Vsys1 has two zones: trust1 and untrust1. A host in the trust1 zone initiates traffic when it needs to communicate with a device in the untrust1 zone. The host sends traffic to the firewall, and the firewall creates a new session for source zone trust1 to destination zone untrust1. Only one session is needed for this traffic.

Scenario 2 (Inter-VSYS) —A host from vsys1 needs to access a server on vsys2. A host in the trust1 zone initiates traffic to the firewall, and the firewall creates the first session: source zone trust1 to destination zone untrust1. Traffic is routed to vsys2, either internally or externally. Then the firewall creates a second session: source zone untrust2 to destination zone trust2. Two sessions are needed for this inter-vsys traffic.

Mermaid Diagram: Session Comparison

sequenceDiagram participant Host1 as Host in VSYS1 Trust participant Firewall as Palo Alto Networks Firewall participant Server1 as Server in VSYS1 Untrust participant Host2 as Host in VSYS1 Trust participant VSYS1 as VSYS 1 Processing participant VSYS2 as VSYS 2 Processing participant Server2 as Server in VSYS2 Trust Note over Firewall: Scenario 1: Intra-VSYS Host1->>Firewall: Packet (Host1 -> Server1) Firewall->>Firewall: Creates 1st Session (Trust1 -> Untrust1) Firewall->>Server1: Forward Packet rect rgb(191, 223, 255) Note over Firewall: Scenario 2: Inter-VSYS Host2->>Firewall: Packet (Host2 -> Server2) Firewall->>VSYS1: Process in VSYS 1 VSYS1->>VSYS1: Policy Check, Create 1st Session (Trust1 -> External1) VSYS1->>Firewall: Forward (Internal Routing) Firewall->>VSYS2: Process in VSYS 2 VSYS2->>VSYS2: Policy Check, Create 2nd Session (External2 -> Trust2) VSYS2->>Server2: Forward Packet end

Sequence diagram comparing session creation for traffic within a VSYS (1 session) versus traffic between VSYS (2 sessions).

Configure Inter-Virtual System Communication within the Firewall

Perform this task if you have a use case, perhaps within a single enterprise, where you want the virtual systems to be able to communicate with each other within the firewall. Such a scenario is described in Inter-VSYS Traffic That Remains Within the Firewall . This task presumes:

You completed the task, Configure Virtual Systems .
When configuring the virtual systems, in the Visible Virtual System field, you checked the boxes of all virtual systems that must communicate with each other to be visible to each other.

Configure an external zone for each virtual system.
1. Select Network>Zones and Add a new zone by Name .
2. For Location , select the virtual system for which you are creating an external zone.
3. For Type , select External .
4. For Virtual Systems , click Add and enter the virtual system that the external zone can reach.
5. ( Optional ) Select a Zone Protection Profile (or configure one later) that provides flood, reconnaissance, or packet-based attack protection.
6. ( Optional ) In Log Setting , select a log forwarding profile for forwarding zone protection logs to an external system.
7. ( Optional ) Select Enable User Identification to enable User-ID for the external zone.
8. Click OK .
Configure the Security policy rules to allow or deny traffic from the internal zones to the external zone of the virtual system, and vice versa.
- See Create a Security Policy Rule .
- See Inter-VSYS Traffic That Remains Within the Firewall .
Commit your changes.
Click Commit .

Interactive Quiz: Virtual Systems Communication

Test your knowledge on communication between virtual systems.

1. In a multi-tenancy deployment where customers manage their own VSYS configurations, how does traffic typically pass between virtual systems if not specifically configured for internal routing?

It is automatically routed internally by the firewall. It leaves the firewall, goes through an external Layer 3 device, and re-enters. It requires a dedicated inter-VSYS interface. Communication is blocked by default in this scenario.

Explanation: In a multi-tenancy setup where customers manage their own VSYS, inter-VSYS traffic by default has to leave the physical firewall and come back in via an external router/internet, maintaining separation at the network layer. ( PCNSE/PCNSA Relevant , Important )

2. Which of the following user roles is typically granted to customers in a multi-tenancy environment to manage their virtual system?

superuser vsysadmin deviceadmin auditor

Explanation: The vsysadmin role is specifically designed to give administrative control over a single virtual system instance without affecting others or the firewall's global configuration. ( PCNSE/PCNSA Relevant , CLI/UI Concept )

3. In a single organization scenario wishing to allow inter-VSYS communication *without* traffic leaving the firewall, what type of security object is required?

Shared Gateway Inter-VSYS Link External Zone Virtual Wire

Explanation: An External Zone is the specific security object used to represent reachability to another virtual system within the same firewall instance, enabling internal inter-VSYS routing and policy application. ( PCNSE/PCNSA Relevant , Important )

4. How many external zones can a single virtual system have?

Unlimited One per internal zone One One per virtual system it needs to communicate with

Explanation: A virtual system can only have one External Zone configured, regardless of how many other virtual systems it is visible to or needs to communicate with internally. ( PCNSE/PCNSA Relevant , Gotcha )

5. In a single organization scenario, is an External Zone associated with a specific network interface?

Yes, it must be bound to a Layer 3 interface. Yes, but only to a Virtual Wire interface. No, it is associated with another virtual system. Only if NAT is configured on the zone.

Explanation: Unlike standard security zones which are associated with interfaces, an External Zone represents reachability to another VSYS and is associated with that VSYS, not a physical or logical interface. ( PCNSE/PCNSA Relevant , Important )

6. Which type of traffic inspection happens for packets moving between virtual systems within the same firewall instance?

Only App-ID is performed. Only Security policy checks are performed. Security policy and App-ID evaluations are performed by each virtual system. No inspection is performed as the traffic is internal.

Explanation: Each virtual system is a separate firewall instance. Traffic passing between them is inspected by *both* the source VSYS and the destination VSYS, including security policy lookups and App-ID. ( PCNSE/PCNSA Relevant , Critical )

7. To allow traffic from an internal zone in VSYS A to an internal zone in VSYS B (within the firewall), how many security policies are typically required?

One policy in VSYS A. One policy in VSYS B. One policy in a shared VSYS. Two policies (one in VSYS A, one in VSYS B).

Explanation: Traffic flow requires a policy in the source VSYS (from internal zone to its external zone) and a policy in the destination VSYS (from its external zone to its internal zone). ( PCNSE/PCNSA Relevant , Important )

8. In the single organization scenario using external zones, which statement is true about security policies configured between the external zones themselves?

A single policy is needed between the two external zones. Policies between external zones are required only if NAT is used. No policy is needed between external zones. A default deny policy is implicitly applied between external zones.

Explanation: When virtual systems are configured as "visible" to each other, traffic automatically passes between their external zones internally. Security policies are applied when traffic enters/leaves a VSYS from/to an external zone, not between the external zones themselves. ( PCNSE/PCNSA Relevant )

9. How is traffic routed between virtual systems that have overlapping IP address ranges in a single organization deployment?

A single virtual router is used for all VSYS. Each virtual system requires its own virtual router with static routes pointing to other VSYS routers. NAT must be configured on the external zones. Overlapping IP ranges are not supported between virtual systems.

Explanation: If VSYS use overlapping IP ranges, they cannot share a single virtual router. Each must have its own, and routing between them is achieved via static routes pointing the next hop to the other virtual router's internal routing mechanism. ( PCNSE/PCNSA Relevant , Gotcha )

10. When configuring an External Zone in the UI, what value is selected for the "Type" field?

Trust Untrust External Inter-VSYS

Explanation: The specific zone type used for communication between VSYS within the firewall is 'External'. ( PCNSA Relevant , CLI/UI Concept )

11. When two virtual systems on the same firewall communicate using external zones, how many sessions are created for the communication?

One session Two sessions One session per zone Three sessions

Explanation: Communication between virtual systems effectively involves two distinct packet traversals within the firewall's processing engine: one in the source VSYS and one in the destination VSYS, each resulting in a session entry. ( PCNSE/PCNSA Relevant , Critical )

12. For inter-VSYS traffic staying within the firewall, the first session created is typically between which zones?

Source VSYS Internal Zone to Source VSYS External Zone Source VSYS External Zone to Destination VSYS External Zone Destination VSYS External Zone to Destination VSYS Internal Zone Source VSYS Internal Zone to Destination VSYS Internal Zone

Explanation: The first session is established within the source VSYS as the packet leaves its internal zone, destined for the external zone representing the other VSYS. ( PCNSE/PCNSA Relevant )

13. For inter-VSYS traffic staying within the firewall, the second session created is typically between which zones?

Explanation: The second session is established within the destination VSYS as the packet arrives from its external zone, destined for its internal zone. ( PCNSE/PCNSA Relevant )

14. Which configuration step is required to make virtual systems capable of communicating with each other using external zones?

Linking them with a Virtual Wire interface. Assigning them to the same Zone Protection Profile. Marking them as "Visible" to each other in their configuration. Creating a dedicated "Inter-VSYS Zone" and adding all VSYS to it.

Explanation: The core step to enable internal inter-VSYS communication is to configure the VSYS to be "Visible" to each other, which is done during the initial VSYS creation or modification. ( PCNSA Relevant , CLI/UI Concept )

15. Can Zone Protection Profiles be applied to External Zones?

Yes, but only some profiles like flood and reconnaissance protection. Yes, all Zone Protection Profiles are supported. No, Zone Protection Profiles can only be applied to interface-bound zones. Only if the External Zone is associated with a Shared Gateway.

Explanation: While some Zone Protection Profiles are not supported because External Zones aren't tied to interfaces, profiles providing flood, reconnaissance, or packet-based attack protection *can* be applied. ( Gotcha , PCNSE Relevant )

16. In the configuration steps, which menu path is used to create a new zone, including an External Zone?

Device > Zones Network > Zones Policies > Zones Objects > Zones

Explanation: Zone configuration is located under the Network tab in the Palo Alto Networks firewall UI. ( PCNSA Relevant , CLI/UI Concept )

17. If two virtual systems in a single organization environment share a single virtual router, what does this imply about their IP address ranges?

They must use NAT for all communication. They must not have overlapping IP address ranges. Static routes are required for all inter-VSYS traffic. Each VSYS still requires its own default route.

Explanation: A single virtual router cannot handle overlapping IP ranges across different VSYS because routing decisions would be ambiguous. Using a single virtual router implies non-overlapping IP spaces. ( PCNSE Relevant , Gotcha )

18. Which type of configuration allows inter-VSYS traffic *intended to leave the firewall* to use a common egress point?

Inter-VSYS Static Routes External Zones Dedicated inter-VSYS interfaces Shared Gateway

Explanation: A Shared Gateway is a specific feature designed to allow multiple virtual systems to share an interface or set of interfaces for outbound traffic, typically to the internet or a shared network. This also involves external zones. ( PCNSE Relevant )

19. What happens after successfully configuring and committing changes for internal inter-VSYS communication using external zones?

Traffic automatically flows between internal zones. NAT policies are automatically created. Security policies must still be created to explicitly allow traffic between the internal and external zones in each VSYS. The VSYS administrators can now manage traffic between their VSYS.

Explanation: Configuring external zones and making VSYS visible only sets up the *framework*. Explicit security policies within each virtual system are always required to allow or deny traffic between their internal zones and their external zone. ( PCNSA Relevant , Important )

20. When configuring an External Zone, what information is specified under the "Virtual Systems" section?

The IP address range of the other VSYS. The virtual system(s) that this external zone can reach. The interfaces associated with the other VSYS. The virtual router used by the other VSYS.

Explanation: The "Virtual Systems" setting within an External Zone configuration specifies which other virtual systems this particular external zone represents connectivity to. ( PCNSA Relevant , CLI/UI Concept )