Virtual routers:

• A virtual router is a Layer 3 routing mechanism built into a firewall. The firewall can use virtual routers to gain ROUTES to other subnets, and you can manually establish static routes or participate in one or more Layer 3 routing protocols (dynamic routes).
• You can also establish numerous virtual routers (VR), each with its own set of routes that are not shared among them, allowing you to configure various routing BEHAVIOURS for distinct interfaces.
  Numerous VSYS can share the same VR, and multiple VSYS can have multiple VRs.

Virtual systems:

• Virtual systems are distinct, logical firewall instances within a single physical Palo Alto Networks firewall. A virtual system is made up of physical and logical interfaces and subinterfaces, virtual routers, and security zones (including VLANs and virtual WIRES). Each virtual system's deployment mode (any combination of virtual wire, Layer 2, or Layer 3) is SELECTED by you.
• Instead of having several firewalls, controlled service providers and organisations should employ a single pair of firewalls (for high availability) and allow virtual environments to run on them. Each virtual system can act as its own firewall, with its own security policy, interfaces, and administrators. This allows you to SEGMENT the management of all policies, reporting, and visibility capabilities provided by the firewall. You can logically separate physical networks by enabling virtual systems on your firewall.