Palo Alto Networks: Setting Up Shared Gateway and Inter-VSYS Communication

This document details the configuration of Shared Gateways and Inter-VSYS (Virtual System) communication on Palo Alto Networks firewalls supporting multiple virtual systems. This is a crucial topic for the PCNSE exam, covering advanced routing and policy control across segmented environments within a single firewall.

Relevant Concepts: Virtual Systems (VSYS), Shared Gateway, Inter-VSYS Routing, External Zones, Virtual Router, Security Policy, NAT, Panorama, Next-Generation Firewall.

Understanding Virtual Systems (VSYS), Shared Gateway, and Inter-VSYS

Virtual Systems allow a single physical or virtual firewall to be segmented into multiple independent virtual firewalls. Each VSYS has its own security policies, network zones, and administrators. This is useful for large organizations, service providers, or even smaller businesses needing strict segmentation (e.g., separating corporate, guest, and lab networks).

The key to both Shared Gateway and Inter-VSYS communication is the concept of using External Zones and the Virtual Router . Traffic passing between two VSYS (either to a shared gateway or another internal VSYS) must leave its source VSYS, be routed via a Virtual Router that contains interfaces from both source and destination VSYS, and then enter the destination VSYS. Policy control for this inter-VSYS traffic is handled within the *source* VSYS using policies that specify an External Zone as the destination zone.

Logical Design Example

Consider a scenario with three virtual systems: a Shared External Gateway (vsys1) and two internal VSYS (vsys2 for WORK_192 network and vsys3 for HOME_10 network). 

graph TD
    subgraph External Gateway (vsys1)
        eth1_1(ethernet1/1
Zone: SHARED_UNTRUST)
    end

    subgraph Work VSYS (vsys2)
        eth1_2(ethernet1/2
Zone: WORK_192)
    end

    subgraph Home VSYS (vsys3)
        eth1_3(ethernet1/3
Zone: HOME_10)
    end

    Router[All-Routes Virtual Router]

    eth1_1 --- Router;
    eth1_2 --- Router;
    eth1_3 --- Router;

    Work_Hosts[WORK Hosts] --> eth1_2;
    Home_Hosts[HOME Hosts] --> eth1_3;

    Router -- Routing --> External_Internet(Internet);
    Router -- Routing --> Work_Hosts;
    Router -- Routing --> Home_Hosts;

In this design, ethernet1/1 is assigned to the Shared Gateway VSYS, while ethernet1/2 and ethernet1/3 are assigned to their respective internal VSYS. All three interfaces participate in the same Virtual Router ("All-Routes"), enabling routing decisions across these segments.

Configuration Steps

Part 1: Virtual System and Shared Gateway Setup

  1. Enable Multi Virtual System Capability: Verify that this feature is enabled under Device > Setup > General Settings. This is often enabled via licensing.
    Enable Multi VSYS
  2. Assign Interfaces to VSYS: Assign internal interfaces (e.g., ethernet1/2, ethernet1/3) to unique internal virtual systems (vsys2, vsys3). The external interface (e.g., ethernet1/1) should NOT be assigned to a VSYS at this stage; it will be associated with the Shared Gateway implicitly.
    Note: Interfaces assigned to the Shared Gateway VSYS (vsys1) effectively become part of the shared resource pool. Interfaces assigned to other VSYS (vsys2, vsys3, etc.) belong exclusively to those virtual systems.
  3. Define Virtual Systems: Go to Device > Virtual Systems. Create or rename the necessary virtual systems (e.g., vsys1 for Shared_External_GW, vsys2 for WORK_192, vsys3 for HOME_10). Critically, configure the "Visible Virtual Systems" setting for each VSYS to allow it to see the other VSYS it needs to communicate with (both the Shared Gateway and other internal VSYS for Inter-VSYS).
    Define VSYS - Example 1
    Define VSYS - Example 2
  4. Configure Shared Gateway: Go to Device > Shared Gateways and click "Add". Give it a name and ID. Then, navigate to Network > Interfaces, select the external interface (ethernet1/1), and assign the Shared Gateway from the "Virtual System" dropdown. This implicitly associates the interface with the Shared Gateway VSYS (vsys1).
    Add Shared Gateway
    Assign Shared Gateway to Interface
  5. Verify Interface Assignments: Check Network > Interfaces to ensure interfaces are correctly assigned to their respective VSYS or the Shared Gateway.
    Verify Interface Assignments
  6. Configure Virtual Router: All interfaces involved in inter-VSYS routing (both to the shared gateway and between internal VSYS) must be part of the same Virtual Router. The default Virtual Router is typically used. Configure static routes or dynamic routing within this Virtual Router as needed. For basic internet access, a default route pointing to the ISP gateway is sufficient. Note that the Virtual Router itself is not tied to a specific VSYS; it operates across all VSYS interfaces assigned to it.
    Virtual Router
    Virtual Router Static Route
  7. Create External Zones for Shared Gateway: To allow policy control from internal VSYS to the shared external gateway, you must create External zones *within each internal VSYS*. These zones represent the "exit point" from that internal VSYS towards the shared resource (the external interface). For example, in vsys2 (WORK_192), create a zone named "Work-to-Untrust" with Type set to 'External' and Forwarding to 'SHARED_UNTRUST'. In vsys3 (HOME_10), create "Home-to-Untrust" with Type 'External' and Forwarding to 'SHARED_UNTRUST'.
    External Zone Config 1
    External Zone Config 2
    Important PCNSE Concept: External zones are crucial for inter-VSYS policy. A rule in VSYS 'A' allowing traffic to VSYS 'B' will have the Destination Zone set to an *External Zone* defined in VSYS 'A' that forwards to a zone in VSYS 'B'.
  8. Configure Security Policy for Shared Gateway Access: Within each internal VSYS, create Security policy rules to allow traffic from the internal zone to the newly created External zone that forwards to the SHARED_UNTRUST zone. For example, in vsys2 (WORK_192), a rule would be 'Source Zone: WORK_192', 'Destination Zone: Work-to-Untrust', Action: Allow (with appropriate app/service/user matching). Repeat this in vsys3. These rules control which traffic from the internal network is permitted to leave towards the shared external interface.
    Security Policy Example 1
    Security Policy Example 2
  9. Configure NAT for Shared Gateway Access: NAT is typically configured within the *Shared External Gateway VSYS* (vsys1), as this is where the external interface resides. Configure a NAT rule to translate the source IP addresses of traffic originating from *any* internal VSYS (or specific VSYS) as it exits the firewall via the shared external interface. A common setup is Source NAT (Hide) using the egress interface IP (ethernet1/1). The source zones for this NAT rule should encompass the internal zones (e.g., WORK_192, HOME_10).
    NAT Configuration
    PCNSE Tip: NAT happens *after* the security policy lookup. When traffic leaves an internal VSYS towards the Shared Gateway VSYS, it's routed by the Virtual Router. The NAT rule in the Shared Gateway VSYS then performs the translation before the packet exits via the external interface.
  10. Test Shared Gateway Access: Generate traffic from hosts in the internal networks (WORK_192, HOME_10) destined for the internet. Monitor the Traffic logs (Monitor > Logs > Traffic) to verify that sessions are allowed by the security policy in their respective internal VSYS and are being NAT'd correctly as they exit via the Shared External Gateway VSYS.
    Traffic Log Example 1
    Traffic Log Example 2

Part 2: Inter-VSYS Communication

To allow traffic between internal VSYS (e.g., from HOME_10 in vsys3 to WORK_192 in vsys2), the process is similar to the Shared Gateway setup, again leveraging External Zones.

  1. Create External Zones for Inter-VSYS Communication: Within each internal VSYS that needs to communicate with *another* internal VSYS, create an External zone that forwards to the zone in the target VSYS.
    • In vsys3 (HOME_10), create a zone named "Home-to-Work" with Type 'External' and Forwarding to 'WORK_192' (the zone in vsys2).
    • In vsys2 (WORK_192), create a zone named "Work-to-Home" with Type 'External' and Forwarding to 'HOME_10' (the zone in vsys3).
    Inter-VSYS External Zone 1
    Inter-VSYS External Zone 2

    After creating these, the Zone list might look like this (showing zones for Shared Gateway and Inter-VSYS):

    Combined Zone List
  2. Configure Security Policy for Inter-VSYS Communication: Within each internal VSYS, create Security policy rules to allow traffic from its internal zone to the External zone that forwards to the target internal VSYS.
    • In vsys3 (HOME_10), create a rule: 'Source Zone: HOME_10', 'Destination Zone: Home-to-Work', Action: Allow (with appropriate app/service/user). This rule allows traffic from the HOME_10 network to be routed towards the WORK_192 network.
    • In vsys2 (WORK_192), create a rule: 'Source Zone: WORK_192', 'Destination Zone: Work-to-Home', Action: Allow (with appropriate app/service/user). This rule allows traffic from the WORK_192 network to be routed towards the HOME_10 network.
    Inter-VSYS Security Policy 1
    Inter-VSYS Security Policy 2
    PCNSE Concept: Policy lookup for inter-VSYS traffic happens only once, in the *source* VSYS. The source zone is the internal zone of that VSYS, and the destination zone is the External zone configured to forward to the target VSYS's internal zone.
  3. Test Inter-VSYS Communication: Generate traffic (e.g., pings, application traffic) from hosts in one internal VSYS (e.g., HOME_10) towards hosts in the other internal VSYS (e.g., WORK_192). Monitor the Traffic logs in the *source* VSYS to verify that the sessions are allowed by the inter-VSYS security policy rule.
    Inter-VSYS Traffic Log Example

PCNSE Relevance and Key Concepts

Understanding Shared Gateway and Inter-VSYS is crucial for the PCNSE exam, especially when dealing with scenarios involving segmentation and resource sharing on a single device. Key takeaways include:

Scenarios on the exam might involve troubleshooting connectivity issues between VSYS, determining the correct policy configuration for inter-VSYS traffic, or understanding where NAT should be configured in a shared gateway setup.

Quiz Time! Shared Gateway & Inter-VSYS

1. What is the primary benefit of using Virtual Systems (VSYS) on a Palo Alto Networks firewall?

Correct Answer: b

Virtual Systems enable the partitioning of a single physical or virtual firewall into multiple logical firewall instances, each with its own configuration.

2. In a Shared Gateway configuration, which Virtual System typically hosts the external interface connected to the ISP?

Correct Answer: b

The Shared Gateway VSYS is designated to hold resources like the external interfaces and often handles shared services like NAT and external routing.

3. To enable routing for traffic between different Virtual Systems (both to a Shared Gateway and between internal VSYS), their respective interfaces must:

Correct Answer: c

The Virtual Router is the component that enables routing decisions across interfaces, regardless of which Virtual System they belong to, allowing traffic to pass between them.

4. When configuring a Security Policy rule in VSYS 'A' to allow traffic to a network segment in VSYS 'B', what type of zone is used as the Destination Zone in VSYS 'A'?

Correct Answer: d

External Zones serve as pointers in the source VSYS policy, representing the destination network located in another VSYS (either the Shared Gateway or another internal VSYS).

5. Where is the NAT rule configured when traffic from an internal VSYS exits the firewall via the Shared Gateway's external interface?

Correct Answer: c

NAT rules are configured in the Virtual System where the egress interface resides, which is the Shared Gateway VSYS for traffic heading out to the internet.

6. For inter-VSYS traffic between two internal VSYS (e.g., VSYS A to VSYS B), in which VSYS does the security policy lookup occur?

Correct Answer: a

Policy evaluation for inter-VSYS traffic happens only once, in the source Virtual System. The source zone is the internal zone, and the destination zone is the External zone pointing to the target VSYS.

7. Which setting is necessary on each Virtual System to allow it to route traffic towards another Virtual System?

Correct Answer: c

For Virtual Systems to interact and route traffic between them, the "Visible Virtual Systems" setting must be configured to allow each VSYS to "see" the others it needs to communicate with.

8. In the context of Inter-VSYS communication policy, what does an External Zone configured with "Forwarding to: [Target Zone in another VSYS]" represent?

Correct Answer: b

External Zones are abstract concepts within a VSYS's policy, acting as proxies or references for networks that are logically outside of that VSYS but reachable via the shared Virtual Router.

9. If you have two internal VSYS, VSYS-A and VSYS-B, and you want hosts in VSYS-A to communicate with hosts in VSYS-B, where would you configure the security policy rule to permit this traffic?

Correct Answer: c

Inter-VSYS policy is unidirectional and configured in the source VSYS. The source zone is the internal zone of the source VSYS, and the destination zone is an External zone pointing to the target zone in the destination VSYS.

10. Which Palo Alto Networks product or feature allows for the creation of multiple independent firewall instances on a single device?

Correct Answer: d

Virtual Systems (VSYS) is the feature that provides logical partitioning of a single firewall, enabling independent configurations and policies for different segments or tenants.