Routing traffic to a virtual system (vsys) in ScreenOS

I would like to add a quick note on how to forward some traffic received from one interface to a vsys configured in a netscreen device. From time to time, I need to do this and I always have to search for it again. This may not be the right way of doing or not suitable for production environments but it works just in my testing. In the example, network in the destination vsys is 10.1.1.0/24.

1) In the below example, I am forwarding traffic received in eth1/1 interface which is in untrust zone and trust-vr. This is important as we should use a shared untrust zone for forwarding and trust-vr

Root device interface output

2) Required routes are below. We forward traffic into test-vr which is in test vsys

Root device route output

Get zone output:

4) If we look at the return traffic withing test vsys:

If we look at the return traffic, we can see that, we direct return traffic into trust-vr

Crucial point is the following output indeed. VSYS device sees untrust zone as if it is directly connected to it, which means without having any policy in the root system, having a policy allowing from untrust zone to Trust-test zone allows traffic flow.

If I draw a very stupid graphic, it should be something like this;

You have a feedback?