Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


Virtual Routers Overview


A security device can divide its routing component into two or more virtual routers. A virtual router supports static routing, dynamic routing protocols, and multicast protocols, which you can enable simultaneously in one virtual router. A security device can contain the following types of virtual routers (VRs):

  • Predefined Virtual Routers—Each security device contains two predefined virtual routers:

    • trust-vr—By default, contains all predefined security zones and any user-defined zones.

    • untrust-vr—By default, does not contain any security zones.

    You cannot delete the trust-vr or untrust-vr predefined virtual routers.

  • Custom Virtual Routers—On some security devices, you can create and configure additional custom virtual routers.

You can define multiple VRs, but trust-vr is the default VR. All predefined and custom security zones (and all interfaces bound to those security zones) are bound to the trust-vr virtual router. To bind a security zone to the untrust-vr or to a custom VR, you must first unbind all interfaces from the zone. For a virtual system (vsys), you can select a virtual router to be the default router for the vsys.

The management virtual router supports out-of-band management and segregates firewall management traffic away from production traffic. The feature is disabled by default and you can enable it by setting a virtual router.