To secure your workloads, more than one instance of
the VM-Series firewalls can be deployed on a Linux host. If, for
example, you want to isolate traffic for separate departments or
customers, you can use VLAN tags
to logically isolate network traffic and route it to the appropriate
VM-Series firewall. In the following example, one Linux host hosts
the VM-Series firewalls for two customers, Customer A and Customer
B, and the workload for Customer B is spread across two servers.
In order to isolate traffic and direct it to the VM-Series firewall configured
for each customer, VLANs are used.
In another variation of this deployment, a pair of VM-Series
firewalls are deployed in a high availability set up. The VM-Series
firewalls in the following illustration are deployed on a Linux
server with SR-IOV capable adapters. With SR-IOV, a single Ethernet
port (physical function) can be split into multiple virtual functions.
Each virtual function attached to the VM-Series firewall is configured
as a Layer 3 interface. The active peer in the HA pair secures traffic
that is routed to it from guests that are deployed on a different
Linux server.