Palo Alto Cheat Sheet – VSYS

Find out if the firewall is in multi-vsys mode

admin@PA> show system info | match vsys 
multi-vsys: on 

View a list of virtual systems configured on the firewall

admin@PA> set system setting target-vsys ? 
none     none 
vsys1    vsys1 
vsys2    vsys2 
  

Switch to a particular vsys so that you can issue commands and view data specific to that vsys

admin@PA> set system setting target-vsys 

For example, use the following command to switch to vsys2; note that the vsys name is case sensitive:

> set system setting target-vsys vsys2 
Session target vsys changed to vsys2 
admin@PA-vsys2> 

Notice that the command prompt now shows the name of the vsys you are now administering.

View the maximum number of sessions allowed, in use, and throttled

admin@PA> show session meter
Example output:
VSYS  Maximum  Current  Throttled
1      10       30      1587

Maximum indicates the maximum number of sessions allowed per dataplane, Current indicates the number of sessions being used by the virtual system, and Throttled indicates the number of sessions denied for the virtual system because the sessions exceeded the Maximum number multiplied by the number of dataplanes in the system.

As shown in this example, on a PA-5200 Series or PA-7000 Series firewall, the Current number of sessions being used can be greater than the Maximum configured for Sessions Limit (Device > Virtual Systems > Resource) because there are multiple dataplanes per virtual system. The Sessions Limit you configure on a PA-5200 or PA-7000 Series firewall is per dataplane, and will result in a higher maximum per virtual system.

View the User-ID mappings in the vsys

admin@PA-vsys2> show user ip-user-mapping all

Return to configuring the firewall globally

admin@PA-vsys2> set system setting target-vsys none

Source:
https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-cli-quick-start/cli-cheat-sheets/cli-cheat-sheet-vsys.html

More Stories
Cisco ASR 1004 L2TPv3 Pseudowire IPSec Encryption