Palo Alto Networks - Virtual Systems and User-ID Sharing

Virtual Systems (vsys) Overview

A virtual system (vsys) is an independent (virtual) firewall instance that you can separately manage within a physical firewall. Each vsys can be an independent firewall with its own Security policy, interfaces, and administrators; a vsys enables you to segment the administration of all policies, reporting, and visibility functions that the firewall provides.

For example, if you want to customize the security features for the traffic that is associated with your Finance department, you can define a Finance vsys and then define security policies that pertain only to that department. To optimize policy administration, you can maintain separate administrator accounts for overall firewall and network functions while creating vsys administrator accounts that allow access to an individual vsys. This allows the vsys administrator in the Finance department to manage the Security policy for only that department.

Critical Point: Networking functions (such as static and dynamic routing, IP addresses of interfaces, and IPSec tunnels) pertain to an entire firewall and all of its virtual systems. A virtual system configuration ( Device > Virtual Systems ) doesn’t control firewall-level and network-level functions (such as static and dynamic routing, IP addresses of interfaces, IPSec tunnels, VLANs, virtual wires, virtual routers, GRE tunnels, DHCP, DNS Proxy, QoS, LLDP and network profiles). If you require routing segmentation for each vsys, you must create and assign additional virtual routers and assign interfaces, VLANs, and virtual wires as needed.

If you use a Panorama template to define your virtual systems, you can configure one vsys to be the default. The default vsys and Multi Virtual System Capability determine whether a firewall accepts vsys-specific configurations during a template commit:

Firewalls that have Multi Virtual System Capability enabled accept vsys-specific configurations for any vsys that is defined in the template.
Firewalls that don’t have Multi Virtual System Capability enabled accept vsys-specific configurations only for the default vsys. If you do not configure a default vsys, then these firewalls will not accept vsys-specific configurations.

PCNSE/PCNSA Exam Note: The PA-220 and PA-800 Series firewalls do not support multiple virtual systems. PA-3200 Series, PA-5200 Series, the PA-5450, and PA-7000 Series firewalls support multiple virtual systems. PA-3200 Series firewalls require a license for enabling multiple virtual systems.

Key Considerations Before Enabling Multi-vsys:

A vsys administrator creates and manages all items needed for Security policy per assigned virtual system.
Zones are objects within a vsys. Before defining a policy or policy object, select the appropriate Virtual System from the drop-down on the Policies or Objects tab.
You can set remote logging destinations (SNMP, syslog, and email), applications, services, and profiles to be available to all virtual systems (shared) or to a single vsys.
If you have multiple virtual systems, you can select a vsys as a User-ID hub to share the IP address-to-username mapping information between virtual systems.
You can configure globally (to all virtual systems on a firewall) or vsys-specific service routes ( Device > Setup > Services ).
Gotcha: You can rename a vsys only on the local firewall. On Panorama, renaming a vsys is not supported. If you rename a vsys on Panorama, the result is an entirely new vsys or the new vsys name gets mapped to the wrong vsys on the firewall.

Virtual Systems Configuration

Before defining a vsys, you must first enable the multi-vsys functionality on the firewall. Select Device > Setup > Management , edit the General Settings , select Multi Virtual System Capability , and click OK . This adds a Device > Virtual Systems page. Select the page, Add a vsys, and specify the following information:

Virtual System Settings	Description
ID	Enter an integer identifier for the vsys. Refer to the data sheet for your firewall model for information on the number of supported virtual systems. If you use a Panorama template to configure the vsys, this field does not appear.
Name	Enter a name (up to 31 characters) to identify the vsys. The name is case-sensitive and must be unique. Use only letters, numbers, spaces, hyphens, and underscores. If you use a Panorama template to push vsys configurations, the vsys name in the template must match the vsys name on the firewall.
Allow Forwarding of Decrypted Content	Select this option to allow the virtual system to forward decrypted content to an outside service when port mirroring or sending WildFire files for analysis.
General Tab	Select a DNS Proxy object if you want to apply DNS proxy rules to this vsys. ( Network > DNS Proxy ). To include objects of a particular type, select that type (interface, VLAN, virtual wire, virtual router, or visible virtual system), Add an object, and select the object from the drop-down. You can add one or more objects of any type. To remove an object, select and Delete it.
Resource Tab	Specify the following resource limits allowed for this vsys. Each field displays the valid range of values, which varies per firewall model. The default setting is 0, which means the limit for the vsys is the limit for the firewall model. However, the limit for a specific setting isn’t replicated for each vsys. For example, if a firewall has four virtual systems, each virtual system can’t have the total number of Decryption Rules allowed per firewall. After the total number of Decryption Rules for all of the virtual systems reaches the firewall limit, you cannot add more. Sessions Limit —Maximum number of sessions. If you use the show session meter CLI command, the firewall displays the Maximum number of sessions allowed per dataplane, the Current number of sessions being used by the virtual system, and the Throttled number of sessions per virtual system. On PA-5200 Series and PA-7000 Series firewalls, the Current number of sessions being used can be greater than the Maximum configured for Sessions Limit because there are multiple dataplanes per virtual system. The Sessions Limit you configure on these platforms is per dataplane and results in a higher maximum per virtual system. Security Rules —Maximum number of Security rules. NAT Rules —Maximum number of NAT rules. Decryption Rules —Maximum number decryption rules. QoS Rules —Maximum number of QoS rules. Application Override Rules —Maximum number of application override rules. Policy Based Forwarding Rules —Maximum number of policy-based forwarding (PBF) rules. DoS Protection Rules —Maximum number of denial-of-service (DoS) rules. Site to Site VPN Tunnels —Maximum number of site-to-site VPN tunnels. Concurrent GlobalProtect Tunnels —Maximum number of concurrent remote GlobalProtect users. Inter-Vsys User-ID Data Sharing — Configuring a User-ID data hub requires superuser or administrator privileges. Make this vsys a User-ID data hub —Allow all other virtual systems on the firewall to access shared mappings. After you enable this option, select the Mapping Type you want to share: IP address-to-username mappings ( IP User Mapping ), group mappings ( User Group Mapping ), or both. Change hub —If you want to change which vsys is the User-ID data hub, select a new vsys to reassign that vsys as the User-ID data hub.

Share User-ID IP-to-Username Mappings Across Virtual Systems

To simplify User-ID™ source configuration when you have multiple virtual systems, configure the User-ID sources on a single virtual system to share IP address-to-username mappings and username-to-group mappings with all other virtual systems on the firewall.

Configuring a single virtual system as a User-ID hub simplifies user mapping by eliminating the need to configure the sources on multiple virtual systems, especially if traffic will pass through multiple virtual systems based on the resources the user is trying to access (for example, in an academic networking environment where a student will be accessing different departments whose traffic is managed by different virtual systems).

To map the user or group, the firewall uses the mapping table on the local virtual system and applies the policy for that user or group. If the firewall does not find the mapping for a user or group on the virtual system where that user’s traffic originated, the firewall queries the hub to fetch the IP address-to-username information or group mapping information. If the firewall locates the mapping on both the User-ID hub and the local virtual system, the firewall uses the mapping it learns locally. If the mapping on the local firewall differs from the mapping on the virtual system hub, the firewall uses the local mapping.

After you configure the User-ID hub, the virtual system can use the mapping table on the User-ID hub when it needs to identify a user for user-based policy enforcement or to display the username in a log or report but the source is not available locally. When you select a hub, the firewall retains the mappings on other virtual systems so we recommend consolidating the User-ID sources on the hub. However, if you don’t want to share mappings from a specific source, you can configure an individual virtual system to perform user or group mapping.

Configuration Steps:

Assign the virtual system as a User-ID hub.
1. Select Device > Virtual Systems and then select the virtual system where you consolidated your User-ID sources.
2. On the Resource tab, Make this vsys a User-ID data hub and click Yes to confirm. Then click OK .

Screenshot showing 'Make this vsys a User-ID data hub' option

Enabling a Virtual System as a User-ID Data Hub

Click Yes to confirm.

Confirmation dialog for User-ID data hub

Confirmation prompt for making a vsys a User-ID hub.

Select the Mapping Type that you want to share then click OK .
- IP User Mapping —Share IP address-to-username mapping information with other virtual systems.
- User Group Mapping —Share group mapping information with other virtual systems.
You must select at least one mapping type.

Screenshot selecting mapping types to share

Selecting the User-ID mapping types to share from the hub.

Consolidate your User-ID sources and migrate them to the virtual system that you want to use as a User-ID hub.
This consolidates the User-ID configuration for operational simplicity. By configuring the hub to monitor servers and connect to agents that were previously monitored by other virtual systems, the hub collects the user mapping information instead of having each virtual system collect it independently. If you don’t want to share mappings from specific virtual systems, configure those mappings on a virtual system that will not be used as the hub.

Use the same format for the Primary Username across virtual systems and firewalls.
1. Remove any sources that are unnecessary or outdated.
2. Identify all configurations for your Windows-based or integrated agents and any sources that send user mappings using the XML API and copy them to the virtual system you want to use as a User-ID hub.
Gotcha: IP address-and-port-to-username mapping information from Terminal Server agents are not shared between the User-ID hub and the connected virtual systems.
1. Specify the subnetworks that User-ID should include in or exclude from mapping.
2. Define the Ignore User List .
3. On all other virtual systems, remove any sources that are on the User-ID hub.
Commit the changes to enable the User-ID hub and begin collecting mappings for the consolidated sources.
Confirm the User-ID hub is mapping the users and groups.
1. Use the show user ip-user-mapping all command to show the IP address-to-username mappings and which virtual system provides the mappings.
2. Use the show user user-id-agent statistics command to show which virtual system is serving as the User-ID hub.
3. Confirm the hub is sharing the group mappings by using the following CLI commands:
  - show user group-mapping statistics
  - show user group-mapping state all
  - show user group list
  - show user group name

Diagram: User-ID Hub Mapping Flow

graph TD
    A[User Traffic] --> B(Virtual System X);
    B --> C{Lookup Local Map};
    C -- Found --> D(Apply Policy);
    C -- Not Found --> E(Query User-ID Hub);
    E --> F[User-ID Hub Map];
    F -- Mapping Found --> G(Apply Policy with Hub Data);
    F -- No Mapping --> H(Default Policy);
    D --> I(Logs/Reporting);
    G --> I;
    H --> I;
    subgraph Firewall
        B; C; E;
        subgraph User-ID Hub VSYS
            F;
        end
    end

Flowchart illustrating how a virtual system uses its local User-ID map and queries the hub if needed.

Share User-ID Group Mappings Across Virtual Systems

To simplify group-based policy configuration and enforcement, you can now share group mappings across virtual systems. When you configure a virtual system as a hub, other virtual systems can refer to the hub for mappings when they need to identify groups instead of each virtual system collecting the information independently.

If the same group mapping on the local firewall differs from the group mapping on the virtual system hub, the firewall uses the local mapping.

Use the same format for the Primary Username across virtual systems and firewalls.

Configuration Steps:

Assign the virtual system as a User-ID hub.
Confirm User Group Mapping as the Mapping Type that you want to share then click OK .

You must select at least one mapping type.

Screenshot showing selecting User Group Mapping

Selecting 'User Group Mapping' when configuring the User-ID hub.

Follow the best practices to consolidate your User-ID sources on the hub and then remove the duplicate sources from the existing virtual systems.
Commit your changes to enable the User-ID hub and begin collecting mappings for the consolidated sources.

Gotcha: If the group mapping on a firewall differs from the group mapping on the hub, the group mapping on the firewall overrides the group mapping on the hub.

Confirm the User-ID hub is mapping the groups by entering the following commands:
- show user group-mapping statistics
- show user group-mapping state all
- show user group list
- show user group name

Interactive Quiz: Virtual Systems and User-ID Sharing

Test your knowledge on Palo Alto Networks Virtual Systems and User-ID Sharing concepts.

1. Which of the following is a primary purpose of using Virtual Systems (vsys)?

To increase the total throughput capacity of the firewall. To segment administration and policy management for different departments or tenants. To allow different vsys to have separate IP addresses on the same physical interface. To enable high availability between two firewalls without dedicated HA links.

Explanation: Virtual Systems are designed to provide independent firewall instances within a single physical device, primarily for administrative and policy segmentation. Throughput is a hardware limitation, not a vsys feature. Separate IP addresses on the same interface and HA without dedicated links are not functions of vsys.

2. Which of the following networking functions are typically configured globally on a firewall and apply to all virtual systems, rather than being configured individually per vsys?

Security Policies NAT Rules Static and Dynamic Routing DoS Protection Rules

Explanation: Routing (static, dynamic) is a global function. Security policies, NAT rules, and DoS rules are configured per vsys (though resource limits apply globally).
Relevance: Critical Point from the overview.

3. Which Palo Alto Networks firewall series does NOT support multiple virtual systems?

PA-5200 Series PA-220 Series PA-7000 Series PA-3200 Series

Explanation: The PA-220 and PA-800 series do not support multiple virtual systems. The PA-3200, PA-5200, PA-5450, and PA-7000 series do, though some require licensing.
Relevance: PCNSE/PCNSA Exam Note .

4. If you configure Virtual Systems using a Panorama template, which vsys receives configurations on a firewall that does *not* have Multi Virtual System Capability enabled?

All vsys defined in the template. Only the default vsys defined in the template (if configured). No vsys will receive configurations. The first vsys created on the local firewall.

Explanation: Firewalls without Multi Virtual System Capability enabled only accept vsys-specific configurations from a Panorama template for the default vsys. If no default is set, they accept none.

5. Where do you enable the multi-vsys functionality on a Palo Alto Networks firewall?

Network > Virtual Wire Policies > Security Objects > Virtual Systems Device > Setup > Management (General Settings)

Explanation: Multi Virtual System Capability is enabled under Device > Setup > Management in the General Settings. Once enabled, the Device > Virtual Systems page becomes available.
Relevance: Configuration step.

6. Which tab within the vsys configuration allows you to specify resource limits like the maximum number of Security Rules or NAT Rules for that vsys?

General Advanced Network Resource

Explanation: Resource limits for a vsys, such as sessions, security rules, NAT rules, etc., are configured on the Resource tab of the virtual system settings.

7. When configuring a Sessions Limit on a PA-5200 or PA-7000 Series firewall with multiple dataplanes, what does the configured limit represent?

The total maximum sessions for the entire firewall. The maximum sessions allowed per dataplane for that virtual system. The throttled session limit across all dataplanes. The current number of sessions being used by the virtual system.

Explanation: On multi-dataplane platforms like the PA-5200/PA-7000, the configured Sessions Limit for a vsys is applied per dataplane, resulting in a higher potential maximum for the vsys as a whole than the number shown in the configuration.
Relevance: PCNSE/PCNSA Exam Note .

8. What is a key benefit of configuring a virtual system as a "User-ID data hub"?

It allows the hub vsys to have higher session limits than other vsys. It simplifies User-ID source configuration by consolidating sources on the hub. It forces all traffic from other vsys to be processed by the hub vsys. It allows the hub vsys to manage networking functions for other vsys.

Explanation: The primary benefit of a User-ID hub is centralizing User-ID sources, so other vsys don't need to duplicate the configuration.
Relevance: Important Point in User-ID sharing.

9. If a virtual system (not the hub) needs to identify a user for policy enforcement but doesn't find the mapping locally, what does it do?

It uses the default user mapping configured on the firewall. It drops the traffic immediately. It queries the User-ID data hub for the mapping. It prompts the user for authentication.

Explanation: If a vsys can't find a mapping locally, it queries the configured User-ID hub. If the hub has the mapping, it uses it.
Relevance: Critical Point in IP/User sharing.

10. If a user mapping exists both on the local virtual system and the User-ID hub, which mapping takes precedence for that virtual system?

The mapping on the User-ID hub. The mapping learned locally on the virtual system. The mapping with the most recent timestamp. It depends on the vsys ID (lower ID takes precedence).

Explanation: The firewall prioritizes local mappings. If a mapping exists locally, it will be used even if the hub has a different mapping for the same IP.

11. Which User-ID mapping type is NOT shared between the User-ID hub and connected virtual systems?

IP User Mapping User Group Mapping XML API mappings IP-and-port mappings from Terminal Server agents

Explanation: Terminal Server agent mappings (IP+Port to user) are specific to the vsys where the agent is configured and are not shared via the hub.
Relevance: Gotcha in IP/User sharing configuration steps.

12. When sharing User-ID mappings, it is important to use the same format for the:

Vsys Name Primary Username User-ID Agent IP Address DNS Proxy Object Name

Explanation: Using a consistent format for the Primary Username (e.g., domain\username, username@domain) across all User-ID sources and virtual systems is recommended for reliable mapping and sharing.
Relevance: Important Point in User-ID sharing.

13. After configuring a vsys as a User-ID hub and consolidating sources, which CLI command can you use to verify IP address-to-username mappings and the vsys providing them?

show user user-id-agent statistics show user ip-user-mapping all show user group list show session all

Explanation: The show user ip-user-mapping all command displays the IP-to-username mappings and indicates which vsys (local or hub) provided the mapping.
Relevance: Verification step for IP/User sharing.

14. Which CLI command confirms which virtual system is currently serving as the User-ID hub?

show user group-mapping statistics show user ip-user-mapping all show user user-id-agent statistics show system info

Explanation: The show user user-id-agent statistics command provides details about User-ID agents and the configured hub vsys.
Relevance: Verification step for IP/User sharing.

15. When sharing User-ID Group Mappings, if a group mapping exists on a local virtual system AND on the User-ID hub, which mapping is used?

The mapping on the User-ID hub. Both mappings are merged. The mapping on the local firewall (overrides the hub mapping). An error is generated, and no mapping is used.

Explanation: Similar to IP-to-User mappings, local group mappings take precedence over group mappings provided by the hub.
Relevance: Critical Point / Gotcha in Group sharing.

16. Renaming a vsys using Panorama is:

Fully supported and recommended. Not supported and can lead to unexpected behavior. Supported only for the default vsys. Only possible via the CLI on Panorama.

Explanation: Renaming a vsys should only be done on the local firewall. Renaming via Panorama can result in a new vsys or incorrect mapping.
Relevance: Gotcha in the overview.

17. To include interfaces like VLANs or Virtual Wires within a specific vsys, where do you configure this association?

Network > Interfaces (on the interface settings) Policies > Security (in the policy definition) Device > Virtual Systems (on the vsys's General tab) Network > Zones (on the zone settings)

Explanation: You associate physical/logical interfaces (including VLANs and Vwires) with a vsys on the General tab when defining or editing the virtual system under Device > Virtual Systems.

18. Which of the following statements about vsys and zones is true?

Zones are global objects shared across all vsys. Zones are objects defined *within* a specific vsys. A single interface can belong to multiple zones in different vsys. Zones are configured under the Resource tab of a vsys.

Explanation: Zones are contained within a virtual system. Before creating zones or policies related to zones, you must first select the correct vsys context.

19. What is the default setting for resource limits (like Sessions Limit or Security Rules) on a vsys if not explicitly configured?

A predefined minimum limit. Unlimited. 0, meaning the limit for the vsys is the total limit for the firewall model. Automatically calculated based on the number of vsys.

Explanation: The default value of 0 for a resource limit on a vsys means it inherits the total limit available for that resource on the specific firewall model. Note that this total limit is shared among all vsys, not multiplied per vsys.

20. Which CLI command is used to verify that a User-ID hub is successfully sharing group mappings?

show user ip-user-mapping all show user group-mapping statistics show system statistics user-id debug user-id dump group

Explanation: The show user group-mapping statistics and related show user group... commands are used to verify group mappings, including those shared via the hub.
Relevance: Verification step for Group sharing.