Virtual systems are unique and distinct next-generation firewall instances within a single Palo Alto Networks firewall. Rather than deploy many individual firewalls, security service providers and enterprises can deploy a single pair of firewalls (high availability) and enable a series of virtual firewall instances or virtual systems. Each virtual system is an independent (virtual) firewall within the device that is managed separately and cannot be accessed or viewed by any other user.
Managed services for customers, business groups, or departments.
- The flexibility and efficiencies of virtual systems present security service providers and enterprises with some very attractive possibilities to enhance business efficiencies that include improved scalability in the form of fewer devices, yet added customers, lower capital and operational expenditures. Two of the most common uses are either as a means of managed services delivery or within a large enterprise where the technical requirements dictate separate firewall instances, each with their own unique firewall configuration and visibility tools.
- Multi-tenant managed services: Within a managed services environment, the cost effectiveness of a single device supporting distinct firewall instances can help improve the bottom line by allowing the provider to deliver security services to multiple customers with a single device. The breadth of functionality and the configuration flexibility would allow each customer to select from a menu of service offerings, each of which can be enabled and disabled quickly and effectively. Role-based administration would allow the service provider to enable the end customer to have access to certain functions (such as logging and reporting) while hiding or providing read-only (policy editor) access to other functions.
- Departmental services: In some large organizations certain technical or compliance requirements may dictate that departmental traffic be protected by a unique firewall instance. On an internal network, a single firewall instance with virtual systems support is a cost effective solution. In this scenario, each department may be assigned security services from the “menu” and then billed back for those services to demonstrate a return on investment. Just as with a managed services environment, department personnel can be allowed to have either read only or full access to certain firewall functions while the device itself is managed centrally by IT.
Protecting network resources through segmentation.
Network segmentation is considered to be a network security best practice because it enables the IT department to isolate critical data and in so doing, more effectively protect that data. By creating a virtual firewall for a segment of the network that may contain critical data, organizations protect that content from unapproved access, a wide range of threats and possible data loss. Virtual systems are just one of the ways in which organizations can segment their network with Palo Alto Networks.
Granular, role-based administrative control.
Each virtual system is a self-contained, fully operational Palo Alto Networks firewall, complete with separate management interfaces which ensures that other customers or department will only see or modify their own policies. Within each virtual system, role-based administrative access control allows organizations to delegate feature level administrative access (enabled, read-only, or disabled and hidden from view) to different staff members. Using role-based administration, service providers can build a menu of services to selectively enable while enterprises can delegate access to key individuals, as needed.