You can deploy one or more instances of the VM-Series on hosts running Hyper-V. Where you place the VM-Series firewall depends on your network topology. VM-Series supports tap, virtual wire, Layer 2, and Layer 3 interface deployments.
Secure Traffic on a Single Hyper-V Host
The VM-Series firewall is deployed on a single Hyper-V host along with other guest VMs. In the example below, the VM-Series firewall has a Layer 3 interfaces and the VM-Series and other guest VMs are connected by Hyper-V vSwitches. All traffic between the web servers and database servers is routed through the firewall. Traffic across the database servers only or across the web servers only is processed by the external vSwitch and not routed through the firewall.
Secure Traffic Across Multiple Hyper-V Hosts
You can deploy your VM-Series firewall to secure the traffic of multiple Hyper-V hosts. In the example below, the VM-Series is deployed in Layer 2 mode protecting traffic to and from the guest VMs. A single VM-Series firewall protects traffic between four guest VMs spread across two Hyper-V hosts. VLAN tagging is used to logically isolate traffic and direct it to the firewall. Additionally, management traffic is decoupled from all other traffic by placing it on its own external vSwitch.

Related Documentation