You can create and deploy multiple instances of the
VM-Series firewall on an ESXi server. Because each instance of the
firewall requires a minimum resource allocation—number of CPUs,
memory and disk space—on the ESXi server, make sure to conform to
the specifications below to ensure optimal performance.
The VM-Series firewall has the following requirements:
The host CPU must be an x86-based Intel or AMD CPU with
See the Compatibility Matrix for
supported versions of ESXi. The support for the vmx version is based
on the OVA that you use to deploy the VM-Series firewall, and you
cannot modify this version. Upgrading or downgrading the VM-Series software
version does not change the vmx version that was enabled at launch.
Minimum of two network interfaces (vNICs). One is a dedicated
vNIC for the management interface and one is for the data interface.
You can then add up to eight more vNICs for data traffic. For additional
interfaces, use VLAN Guest Tagging (VGT) on the ESXi server or configure
subinterfaces on the firewall.
Hypervisor assigned MAC address
are enabled by default. vSphere assigns a unique vNIC MAC address
to each dataplane interface of the VM-Series firewall. If you disable
hypervisor assigned MAC addresses, the VM-Series firewall assigns
each interface a MAC address from its own pool. Because this causes the
MAC addresses on each interface to differ, you must enable promiscuous mode
on the port group of the virtual switch to which the firewall’s
dataplane interfaces are attached; this allows the firewall to receive
frames (see Provision
the VM-Series Firewall on an ESXi Server). If neither promiscuous
mode nor hypervisor assigned MAC address is enabled, the firewall
does not receive any traffic. This is because vSphere does not forward
frames to a virtual machine when the frame’s destination MAC address
and the vNIC MAC address do not match.
Data Plane Development Kit (DPDK) is enabled by default on
VM-Series firewalls on ESXi. For more information about DPDK, see Enable
DPDK on ESXi.
To achieve the best performance out of the VM-Series firewall,
you can make the following adjustments to the host before deploying
the VM-Series firewall. See Performance
Tuning of the VM-Series for ESXi for more information.
. DPDK allows the host to process packets
faster by bypassing the Linux kernel. Instead, interactions with
the NIC are performed using drivers and the DPDK libraries.
. Single root I/O virtualization (SR-IOV)
allows a single PCIe physical device under a single root port to
appear to be multiple separate physical devices to the hypervisor
Do not configure a vSwitch on the physical port
on which you enable SR-IOV. To communicate with the host or other
virtual machines on the network, the VM-Series firewall must have
exclusive access to the physical port and associated virtual functions
(VFs) on that interface.
Enable multi-queue support for NICs
. Multi-queue allows
network performance to scale with the number of vCPUs and allows
for parallel packet processing by creating multiple TX and RX queues.