Netscreen – Virtual Systems / VSYS

Virtual systems allow you to divide your Netscreen firewall into multiple logical firewalls (domains).
Each VSYS (Virtual System) has 3 components which can be shared. Once shared they are available to other systems, virtual systems or root. The components are:

  • Virtual Routers
  • Zones
  • Network Interfaces (Shared)

How Virtual Systems work

There are 3 ways in which the Firewall will determine where to send traffic entering the firewall go. Either by traffic destined for the Virtual System itself (such as VIP, MIP`s etc), by using VLAN tagging or via IP traffic classification.
IP traffic Classification allows you to configure which traffic should be sent to which VSYS.

Creating a VSYS

Below shows you the commands required to create a Virtual System,

Netscreen -> set vsys Fir3net
Netscreen (Fir3net ) -> set admin name Jackson
Netscreen (Fir3net ) -> set admin password Singer
Netscreen (Fir3net ) -> save
Netscreen (Fir3net ) -> exit
Netscreen ->

Networks Interfaces

Physical Interfaces
Once you assign a physical interface to a VSYS, the VSYS gets exclusive use of the interface.

Netscreen -> set vsys Fir3net
Netscreen (Fir3net ) -> set interface eth3/1 import
Netscreen (Fir3net ) -> set interface eth3/1 zone Trust-Fir3net
Netscreen (Fir3net ) -> set interface eth3/1 ip 10.1.1.10/24
Netscreen (Fir3net ) -> save
Netscreen (Fir3net ) -> exit
Netscreen ->

Subinterfaces
Subintefaces are virtual interfaced that are bound to a physical interface. When using subinterfaces you will also require VLANS.
To configure a subinterace

Netscreen -> set vsys Fir3net
Netscreen (Fir3net ) -> set interface eth3/1.1 zone Trust-Fir3net
Netscreen (Fir3net ) -> set interface eth3/1.1 ip 10.1.1.10/24 tag 4
Netscreen (Fir3net ) -> save
Netscreen (Fir3net ) -> exit
Netscreen ->

Shared Interface
In order to use a shared interface you require a shared zone. Once the shared zone is assigned to the interface the interface will shared to all the virtual systems.

Netscreen -> set vsys Fir3net
Netscreen (Fir3net ) -> set zone name Fir3net-DMZ
Netscreen (Fir3net ) -> set zone Fir3net-DMZ shared
Netscreen (Fir3net ) -> set interface eth3/1 zone Fir3net-DMZ
Netscreen (Fir3net ) -> set interface eth3/1 ip 10.1.1.10/24
Netscreen (Fir3net ) -> save
Netscreen (Fir3net ) -> exit
Netscreen ->

Traffic Classification
This also uses Shared Zones, of which you configured to determine which traffic will be sent to which VSYS,

Netscreen  -> set zone Fir3net-DMZ ip-classfication range 1.1.1.1-1.1.1.50 vsys Fir3net
Netscreen -> zone Fir3net-DMZ ip-classfication
Netscreen  -> save

Virtual System Profiles

This allows you to limit the resources that each VSYS can use. This can be set via the command,

Netscreen -> set vsys-profile name Fir3net-Profile cpu-weight 30
Netscreen -> set vsys-profile Fir3net-Profile [option]
Netscreen -> save

Rick Donato

Want to become an IT Security expert?

Here is our hand-picked selection of the best courses you can find online:
Internet Security Deep Dive course
Complete Cyber Security Course – Hackers Exposed
CompTIA Security+ (SY0-601) Certification Complete course
and our recommended certification practice exams:
AlphaPrep Practice Tests - Free Trial