Communication Between Virtual Systems
The FW supports four types of communication scenarios, namely, communication between a virtual system and the root system, communication between two virtual systems directly, communication between two virtual systems across a root system, and communication between two virtual systems across a shared virtual system. Understanding the basic scenarios helps you better understand the basic mechanisms of virtual system communications and correctly configure them.
Virtual system communications can be classified into communication between a virtual system and a root system and communication between two virtual systems by role.
Communication between a virtual system and the root system
You can configure relevant policies and routes on a virtual system and the root system so that they can communicate with each other, as shown in Figure 1. In this mode, packets are processed based on the firewall forwarding process on the virtual system and root system. This mode applies to the scenario where intranet users attacked to a virtual system access the Internet through the public network interface of the root system. For the mechanism of the communication between the virtual system and root system, see Communication Between a Virtual System and the Public System.
Communication between two virtual systems
FW supports communication between virtual systems in normal or extended mode.In normal mode
You can configure relevant policies and routes between two virtual systems so that they can communicate with each other, as shown in Figure 2. In this mode, a packet only can go through two forwarding processes and will be discarded if it passes through over two virtual systems. This mode usually applies to communication between the intranets of two virtual systems. As shown in Figure 2, the client on tenant network A can directly access the server on tenant network B. For the mechanism of communication between two virtual systems in normal mode, see Communication Between Virtual Systems Directly.
In addition, the normal mode also supports communication between two virtual systems across the root system in between for routing, as shown in Figure 3. The packet also goes through only two forwarding processes. When the packet goes through the root system, it will not go through forwarding process. This mode requires you separately configure the policy and route between each virtual system and the root system.
In extended mode
The device introduces the concept of shared virtual system (Shared-vsys). A shared virtual system in extended mode is created on the FW for routing, which helps implement communication between two virtual systems across Shared-vsys. As shown in Figure 4, packets between vsysa and vsysb are forwarded across Shared-vsys. The FW mode is set to extended mode, and therefore packets from vsysa are forwarded across Shared-vsys to vsysb without being discarded. A packet can go through forwarding process for a maximum of three times. In addition, Shared-vsys can connect to an external LAN or cloud to form a relationship of "headquarters-branch" or "cloud service provider-tenant" with networks A and B. Packets between networks A and B are forwarded on the network or cloud to which they belong for isolation from the extranet. For the mechanism of the communication between two virtual systems across a shared virtual system in extended mode, see Communication Between Two Virtual Systems Across a Shared Virtual System (Shared-vsys).
In extended mode, if root system is chosen as Shared-vsys, the packet will not go through one forwarding process in root system, which is same as communication between two virtual systems across the root system in between for routing in normal mode.
In addition, there may be communication between a virtual system and the root system across another virtual system, as shown in Figure 5. If the communication mode of the virtual system is the normal mode, a packet can go through forwarding process for a maximum of two times and will be discarded if it passes through over the second virtual system named vsysb. Therefore, the communication between a virtual system and the root system across another virtual system fails. If the communication mode of the virtual system is the extended mode, a packet can go through forwarding process for a maximum of three times. Therefore, the packet can be forwarded by vsysb to the root system. The packet goes through the forwarding process for one time.
- Virtual Interface
- Virtual systems can communicate using virtual interfaces.
- Communication Between a Virtual System and the Public System
- The packet forwarding process is slightly different for the access from a virtual system to the public system and the access from the public system to a virtual system.
- Traffic Diversion Table
- For the mutual access between virtual and public systems, both systems process packets based on the firewall forwarding process. To allow the mutual access, you must configure policies and create sessions on both systems. Such configuration is complicated, and each connection requires two sessions. If the service traffic is heavy, session resources may be insufficient. To resolve this problem, you can configure a traffic diversion table.
- Communication Between Virtual Systems Directly
- On the FW, virtual systems are isolated by default. Host in different virtual system cannot communicate. If the hosts in different virtual systems need to communicate, you must configure policies and routes for the communication.
- Communication Between Two Virtual Systems Across a Shared Virtual System (Shared-vsys)
- In addition to direct communication between two virtual systems, the FW also supports indirect communication between two virtual systems across a shared virtual system (Shared-vsys). That is, a shared virtual system is deployed between the two virtual systems for routing purposes.