By planning the mapping of VM-Series Firewall vNICs and interfaces, you can avoid reboots and configuration issues. The following table describes the default mapping between VMware vNICs and VM-Series interfaces when all 10 vNICs are enabled on ESXi.
VMware vNIC VM-Series Interfaces
1 Ethernet 1/0 (mgmt)
2 Ethernet 1/1 (eth1)
3 Ethernet 1/2 (eth2)
4 Ethernet 1/3 (eth3)
5 Ethernet 1/4 (eth4)
6 Ethernet 1/5 (eth5)
7 Ethernet 1/6 (eth6)
8 Ethernet 1/7 (eth7)
9 Ethernet 1/8 (eth8)
10 Ethernet 1/9 (eth9)
The mapping on the VM-Series Firewall remains the same no matter which vNICs you add on ESXi. No matter which interfaces you activate on the firewall, they always take the next available vNIC on ESXi. In the following example, eth3 and eth4 on the VM-Series Firewall are paired to vNICs 2 and 3 on ESXi respectively. If you add want to add two additional interfaces, you must activate vNICs 4 and 5; doing this requires you to power down the VM-Series firewall. If you activate eth1 and eth2 on the VM-Series Firewall, the interfaces will reorder themselves. This can result in a mapping mismatch and impact traffic.
To avoid issues like those described in the preceding example, you can do the following:
Activate all nine vNICs beyond the first when provisioning your ESXi host. Adding all nine vNICs as placeholders before powering on the VM-Series Firewall allows you to use any VM-Series interfaces regardless of order. By activating the vNICs before powering on the VM-Series Firewall, adding additional interfaces in the future no longer requires a reboot. Because each vNIC on ESXi requires that you choose a network, you can create an empty port group as a network placeholder. Do not remove VM-Series Firewall vNICs to avoid mapping mismatches.

Related Documentation