{{ secondMenu.name }}
Properly assigning resources to VSYSs can prevent a single VSYS from occupying excessive resources and other VSYSs from failing to obtain resources or properly run their services.
Basic resources required for running VSYS services, such as zones, policies, and sessions, support quota assignment, or manual assignment.
Quota assignment: This assignment method automatically assigns fixed resources (such as zones, objects, and administrators) based on the system specifications.
Manual assignment: This assignment method allows you to manually assign resources (such as sessions and policies) through the command line or Web UI.
The resources that do not support quota assignment or manual assignment are shared by all VSYSs, and the VSYSs preempt the resources.
The following table describes the resources that support quota assignment and manual assignment.
| Resource |
Assignment Method |
Description |
| Interfaces |
Manual assignment |
1. Layer 3 Ethernet interfaces, Layer 3 Ethernet subinterfaces, Layer 3 aggregate subinterfaces, and virtual interfaces can be assigned to VSYSs. 2. Layer 2 interfaces cannot be directly assigned to VSYSs. When you run the assign vlan command to assign a VLAN to a VSYS, the corresponding Layer 2 interface will be assigned to the VSYS along with the VLAN. A Layer 2 trunk interface can be assigned to multiple VSYSs along with the VLAN and configured in each VSYS, for example, added to the security zone. 3. When you run the assign vlan command to assign a VLAN to a VSYS, the corresponding Layer 3 VLAN interface (if any) will be assigned to the VSYS along with the VLAN. You can also directly assign a Layer 3 interface to a VSYS. 4. The eth0 management interface cannot be assigned to VSYSs. |
| VLANs |
Manual assignment |
When you assign a VLAN to a VSYS, the corresponding Layer 3 VLAN interface will be assigned to the VSYS along with the VLAN. |
| IPv4 Sessions |
Manual assignment |
|
| IPv6 Sessions |
Manual assignment |
|
| Application Control Policies |
Manual assignment |
|
| NAT44 Policies |
Manual assignment |
|
| NAT66 Policies |
Manual assignment |
|
| NAT64 Policies |
Manual assignment |
|
| Local Access Control |
Quota assignment |
Default: 2 |
| Network Objects |
Quota assignment |
50-2048, depending on the device model. |
| Services |
Quota assignment |
Predefined services: 73 Custom services: 512 |
| Schedules |
Quota assignment |
64 |
| Zones |
Quota assignment |
30 |
| Static Routes |
Quota assignment |
512-2048, depending on the device model. |
| Policy-Based Routes |
Quota assignment |
256-2048, depending on the device model. |
| Administrators |
Quota assignment |
Public system: 30 VSYS: 5 (No administrator is configured by default.) |
Table 24:Resource Assignment Table
When an administrator manually assigns resources to a VSYS, the administrator configures a resource class, specifies the guaranteed and maximum values for each resource in the resource class, and binds the resource class to the VSYS. The number of resources available for the VSYS is controlled by the guaranteed and maximum values configured in the resource class.
Guaranteed value indicates the minimum number of resources available for the VSYS. After this part of resources are assigned to the VSYS, they are exclusively used by the VSYS.
1. IPv4 and IPv6 sessions of Athena NGFW are shared resources. For example, if the number of system sessions available is N, the number of IPv4 sessions available is N, and that of IPv6 sessions available is N/2.
2. When the number of available (used + guaranteed) sessions is greater than the guaranteed value, the guaranteed value takes effect; otherwise, the guaranteed value does not take effect, and a session will be preferentially preserved when it is released.
3. Guaranteed value of policy usage = Maximum value = Maximum number of policies available.
The maximum value indicates the maximum number of resources available for the VSYS. Whether the resource usage of a VSYS can reach the maximum value depends on the resource usage of other VSYSs.
For example, 10 VSYSs are configured on Athena NGFW. Assume that the total number of sessions available on Athena NGFW is 500,000, the guaranteed value of session usage for VSYS A is 10,000, and the maximum value of session usage for VSYS A is 50,000. In this case, at least 10,000 sessions can be established in VSYS A, but whether the number of sessions in VSYS A can reach 50,000 depends on the session usage in other VSYSs. If the total number of sessions in the other nine VSYSs and the public system is less than 450,000, you can establish up to 50,000 sessions in VSYS A.
If no resource class is bound to a VSYS, resources of the VSYS are not limited, and such VSYSs and the public system preempt the shared resources available. If the resource class bound to a VSYS does not specify the maximum or guaranteed value for some resources, these resources are not limited, and such VSYSs and the public system preempt the shared resources available.
Shared resources include CPUs, memory, link detection, OSPF, and tables, such as ARP tables and MAC address tables.
{{ $t('index.defaultHeader.chromeBrowserTip') }}