You are here: Webhelp 5.5R7 > System > VSYS (Virtual System)

VSYS (Virtual System)

This feature may vary slightly on different platforms. If there is a conflict between this guide and the actual page, the latter shall prevail.

VSYS (Virtual System) is logically divides the physical firewall into several virtual firewalls. Each virtual firewall can work independently as a physical device with its own system resources, and it provides most firewall features. A VSYS is separated from other VSYS, and by default, they cannot directly communicate with each other.

VSYS has the following characteristics:

  • Each VSYS has its own administrator;
  • Each VSYS has an its own virtual router, zone, address book and service book;
  • Each VSYS can have its own physical or logical interfaces;
  • Each VSYS has its own security policies.
The maximum VSYS number is determined by the platform capacity and license. You can expand VSYS maximum number by purchasing addition licenses.

VSYS Objects

This section describes VSYS objects, including root VSYS, non-root VSYS, administrator, VRouter, VSwitch, zone, and interface.

Root VSYS and Non-root VSYS

System contains only one root VSYS which cannot be deleted. You can create or delete non-root VSYSs after installing a VSYS license and rebooting the device. When creating or deleting non-root VSYSs, you must follow the rules listed below:

  • When creating or deleting non-root VSYSs through CLI, you must be under the root VSYS configuration mode.
  • Only the root VSYS administrators and root VSYS operators can create or delete non-root VSYS. For more information about administrator permissions, see Device Management.
  • When creating a non-root VSYS, the following corresponding objects will be created simultaneously:
    • A non-root VSYS administrator named admin. The password is vsys_name-admin.

    • A VRouter named vsys_name-vr.

    • A L3 zone named vsys_name-trust.

  • For example, when creating the non-root VSYS named vsys1, the following objects will be created:

    • The RXW administrator named admin with the password vsys1-admin.

    • The default VRouter named vsys1-vr.

    • The L3 zone named vsys1-trust and it is bound to vsys1-vr automatically.

  • When deleting a non-root VSYS, all the objects and logs in the VSYS will be deleted simultaneously.

  • The root VSYS contains a default VSwitch named VSwitch1, but there is no default VSwitch in a newly created non-root VSYS. Therefore, before creating l2 zones in a non-root VSYS, a VSwitch must be created. The first VSwitch created in a non-root VSYS will be considered as the default VSwitch, and the l2 zone created in the non-root VSYS will be bound to the default VSwitch automatically.

VRouter, VSwitch, Zone and Interface

VRouter, VSwitch, zone, and interface in VSYS have two properties which are shared and dedicated. Objects with dedicated property are dedicated objects, while doing specific operations to the object with the shared property will make it a shared object. The dedicated object and shared object have the following characters:

  • Dedicated object: A dedicated object belongs to a certain VSYS, and cannot be referenced by other VSYSs. Both root VSYS and non-root VSYS can contain dedicated objects.
  • Shared object: A shared object can be shared by multiple VSYSs. A shared object can only belong to the root VSYS and can only be configured in the root VSYS. A non-root VSYS can reference the shared object, but cannot configure them. The name of the shared object must be unique in the whole system.
Only adminitrator has the authority ot delete or create interfaces. If you are about to delete an interface and its-subinterfaces, you have to do it under the same VSYS.

Creating Non-root VSYS

To create a new non-root VSYS, take the following steps:

  1. Select System > VSYS > VSYS.
  2. Click New to add a non-root VSYS.
  3. Click OK to save configuration. The new VSYS will be seen in the VSYS list.

Configuring Dedicated and Shared Objects for Non-root VSYS

VRouter, VSwitch, zone, and interface in VSYS have two properties which are shared and dedicated. Objects with dedicated property are dedicated objects, while doing specific operations to the object with the shared property will make it a shared object. The dedicated object and shared object have the following characters:

  • Dedicated object: A dedicated object belongs to a certain VSYS, and cannot be referenced by other VSYSs. Both root VSYS and non-root VSYS can contain dedicated objects.
  • Shared object: A shared object can be shared by multiple VSYSs. A shared object can only belong to the root VSYS and can only be configured in the root VSYS. A non-root VSYS can reference the shared object, but cannot configure them. The name of the shared object must be unique in the whole system.

To configure VSYS shared object, take the following steps:

  1. Select System > VSYS > VSYS.
  2. Click Share Resource.
  3. Click Close to exit.

Configuring VSYS Quota

VSYSs work independently in functions but share system resources including concurrent sessions, zone number, policy rule number, SNAT rule number, DNAT rule number, session limit rules number, memory buffer, URL resources and IPS resources. You can specify the reserved quota and maximum quota for each type of system resource in a VSYS by creating a VSYS profile. Reserved quota refers to the resource number reserved for the VSYS; maximum quota refers to the maximum resource number available to the VSYS. The root administrator have the permission to create VSYS quota. The total for each resource of all VSYSs cannot exceed the system capacity.

To define a quota for VSYS, take the following steps:

  1. Select System > VSYS > Quota.
  2. Click New .
  3. Click OK to save settings. The new VSYS quota will be shown in the list.


  • Up to 128 VSYS quotas are supported.
  • The default VSYS profile of the root VSYS named root-vsys-profile and the default VSYS profile of non-root VSYS named default-vsys-profile cannot be edited or deleted.
  • Before deleting a VSYS profile, you must delete all the VSYSs referencing the VSYS profile.
  • The maximum quota varies from one platform to another. The reserved quota cannot exceed maximum quota.

Entering the Non-root VSYS

To enter non-root VSYS, you can use the management IP of the non-root VSYS directly or enter from the root VSYS (only root VSYS admin has the privilege).

Using Management IP

After typing the management IP of the non-root VSYS in a browser, you should type the username and password in the login page. For example, the management IP of root VSYS is 10.90.89.1, after typing the username (hillstone) and password (hillstone), you can enter the root VSYS. After creating the non-root VSYS (vsys1), you should type the name management IP 10.90.89.1, type the non-root administrator username (vsys1\admin) and password (vsys1-admin), and then you can enter the non-root VSYS directly. For the detailed information of administrator configuration, see Device Management.

If using the above method to enter the non-root VSYS, you cannot return the root VSYS. You need exit from the non-root VSYS, and then type the management IP in the browser for the root VSYS.

Entering from the Root VSYS

The root VSYS administrator can enter the non-root VSYS from root VSYS. The administrator in the root VSYS can configure the functions of the non-root VSYS after entering it. To enter a non-root VSYS, take the following steps:

  1. Select System > VSYS > VSYS to enter the VSYS page.
  2. In the VSYS list, click the name of non-root VSYS, and enter the non-root VSYS.
  3. Return to the root VSYS, click in the right top corner of the page, and click Return root Vsys in the pop-up dialog box.