Virtual systems allow you to divide your Netscreen firewall into multiple logical firewalls (domains).
Each VSYS (Virtual System) has 3 components which can be shared. Once shared they are available to other systems, virtual systems or root. The components are:
- Virtual Routers
- Zones
- Network Interfaces (Shared)
How Virtual Systems work
There are 3 ways in which the Firewall will determine where to send traffic entering the firewall go. Either by traffic destined for the Virtual System itself (such as VIP, MIP`s etc), by using VLAN tagging or via IP traffic classification.
IP traffic Classification allows you to configure which traffic should be sent to which VSYS.
Creating a VSYS
Below shows you the commands required to create a Virtual System,
Netscreen -> set vsys Fir3net
Netscreen (Fir3net ) -> set admin name Jackson
Netscreen (Fir3net ) -> set admin password Singer
Netscreen (Fir3net ) -> save
Netscreen (Fir3net ) -> exit
Netscreen ->
Networks Interfaces
Physical Interfaces
Once you assign a physical interface to a VSYS, the VSYS gets exclusive use of the interface.
Netscreen -> set vsys Fir3net
Netscreen (Fir3net ) -> set interface eth3/1 import
Netscreen (Fir3net ) -> set interface eth3/1 zone Trust-Fir3net
Netscreen (Fir3net ) -> set interface eth3/1 ip 10.1.1.10/24
Netscreen (Fir3net ) -> save
Netscreen (Fir3net ) -> exit
Netscreen ->
Subinterfaces
Subintefaces are virtual interfaced that are bound to a physical interface. When using subinterfaces you will also require VLANS.
To configure a subinterace
Netscreen -> set vsys Fir3net
Netscreen (Fir3net ) -> set interface eth3/1.1 zone Trust-Fir3net
Netscreen (Fir3net ) -> set interface eth3/1.1 ip 10.1.1.10/24 tag 4
Netscreen (Fir3net ) -> save
Netscreen (Fir3net ) -> exit
Netscreen ->
Shared Interface
In order to use a shared interface you require a shared zone. Once the shared zone is assigned to the interface the interface will shared to all the virtual systems.
Netscreen -> set vsys Fir3net
Netscreen (Fir3net ) -> set zone name Fir3net-DMZ
Netscreen (Fir3net ) -> set zone Fir3net-DMZ shared
Netscreen (Fir3net ) -> set interface eth3/1 zone Fir3net-DMZ
Netscreen (Fir3net ) -> set interface eth3/1 ip 10.1.1.10/24
Netscreen (Fir3net ) -> save
Netscreen (Fir3net ) -> exit
Netscreen ->
Traffic Classification
This also uses Shared Zones, of which you configured to determine which traffic will be sent to which VSYS,
Netscreen -> set zone Fir3net-DMZ ip-classfication range 1.1.1.1-1.1.1.50 vsys Fir3net
Netscreen -> zone Fir3net-DMZ ip-classfication
Netscreen -> save
Virtual System Profiles
This allows you to limit the resources that each VSYS can use. This can be set via the command,
Netscreen -> set vsys-profile name Fir3net-Profile cpu-weight 30
Netscreen -> set vsys-profile Fir3net-Profile [option]
Netscreen -> save
- How to Configure a BIND Server on Ubuntu - March 15, 2018
- What is a BGP Confederation? - March 6, 2018
- Cisco – What is BGP ORF (Outbound Route Filtering)? - March 5, 2018
Want to become an IT Security expert?
Here is our hand-picked selection of the best courses you can find online:
Internet Security Deep Dive course
Complete Cyber Security Course – Hackers Exposed
CompTIA Security+ (SY0-601) Certification Complete course
and our recommended certification practice exams:
AlphaPrep Practice Tests - Free Trial