Virtual systems (VSYS) divide a physical device into multiple logical virtual firewalls. Each VSYS has its own system resources, performs most of the firewall functionalities, working as a completely independent firewall. Direct communication between VSYSs is not allowed.
VSYS has the following characters:
The supported default VSYS number varies from different platforms. You can expand the number by purchasing and installing a license.
This section describes VSYS objects, including root VSYS, non-root VSYS, administrator, VRouter, VSwitch, zone, and interface.
The system contains only one root VSYS which cannot be deleted. You can create or delete non-root VSYSs after installing a VSYS license and rebooting the device. When creating or deleting non-root VSYSs, you must follow the rules listed below:
Administrators in different VSYSs are independent from each other. Administrators in root VSYS are known as root administrators and administrators in non-root VSYS are known as non-root administrators. The system supports two types of administrator permissions which are RX (read-execute) and RXW (read-execute-write). For more information about how to configure administrator permission, see Configuring an Admin Account.
When creating VSYS administrators, you must follow the rules listed below:
The following table shows the permissions to different types of VSYS administrators.
Operation | Permission | |||
Root RXW | Root RX | Non-root RXW | Non-root RX | |
Configure (including saving configuration) | √ | χ | √ | χ |
Restore factory default | √ | χ | χ | χ |
Delete configuration file | √ | χ | √ | χ |
Roll back configuration | √ | χ | √ | χ |
Reboot | √ | χ | χ | χ |
View configuration information | √ | √ | View info in current VSYS | View info in current VSYS |
Modify current admin password | √ | √ | √ | √ |
Import | √ | χ | √ | χ |
Export | √ | √ | √ | √ |
Clear | √ | √ | √ | √ |
ping/traceroute | √ | √ | √ | √ |
VRouter, VSwitch, zone, and interface in VSYS have two properties which are shared and dedicated. Objects with dedicated property are dedicated objects, while doing specific operations to the object with the shared property will make it a shared object. The dedicated object and shared object have the following characters:
The following figure shows the reference relationship among dedicated and shared VRouter, VSwitch, zone, and interface.
As shown in the figure above, there are three VSYSs in StoneOS: Root VSYS, VSYS-A, and VSYS B.
Root VSYS contains shared objects (including Shared VRouter, Shared VSwitch, Shared L3-zone, Shared L2-zone, Shared IF1, and Shared IF2) and dedicated objects.
VSYS-A and VSYS-B only contain dedicated objects. The dedicated objects VSYS-A and VSYS-B can reference the shared objects in Root VSYS. For example, A-zone2 in VSYS-A is bound to the shared object Shared VRouter in Root VSYS, and B-IF3 in VSYS-B is bound to the shared object Shared L2-zone in Root VSYS.
A shared VRouter contains the shared and dedicated L3 zones of the root VSYS. After binding the L3 zone with the shared property to a shared VRouter, it becomes a shared L3 zone.
A shared VSwitch contains the shared and dedicated L2 zones of the root VSYS. After binding the L2 zone with the shared property to a shared VSwitch, it becomes a shared L2 zone.
The shared zones consist of L2 shared zones and L3 shared zones. After binding the L2 zone with the shared property to a shared VSwitch, it becomes a shared L2 zone; after binding the L3 zone with the shared property to a shared VRouter, it becomes a shared L3 zone. A shared zone can contain interfaces in both root VSYS and non-root VSYS. All functional zones cannot be shared.
After binding an interface in the root VSYS to a shared zone, it becomes a shared interface automatically.
Only RXW administrator in the root VSYS can create or delete interfaces. Configurations to an interface and its sub-interfaces must be performed in the same VSYS.