You can deploy a single instance of the VM-Series firewall per Linux host (single tenant) or multiple instances of the VM-Series firewalls on a Linux host. The VM-Series firewall can be deployed with virtual wire, Layer 2, or Layer 3 interfaces. If you plan on using SR-IOV capable interfaces on the VM-Series firewall, you can only configure the interfaces as Layer 3 interfaces.
To secure east west traffic across guests on a Linux server, the VM-Series firewall can be deployed with virtual wire, Layer 2, or Layer 3 interfaces. The illustration below shows the firewall with Layer 3 interfaces, where the firewall and the other guests on the server are connected using Linux bridges. In this deployment, all traffic between the web servers and the database servers is routed through the firewall; traffic across the database servers only or across the web servers only is processed by the bridge and is not routed through the firewall.
to logically isolate network traffic and route it to the appropriate VM-Series firewall. In the following example, one Linux host hosts the VM-Series firewalls for two customers, Customer A and Customer B, and the workload for Customer B is spread across two servers. In order to isolate traffic and direct it to the VM-Series firewall configured for each customer, VLANs are used.
In another variation of this deployment, a pair of VM-Series firewalls are deployed in a high availability set up. The VM-Series firewalls in the following illustration are deployed on a Linux server with SR-IOV capable adapters. With SR-IOV, a single Ethernet port (physical function) can be split into multiple virtual functions. Each virtual function attached to the VM-Series firewall is configured as a Layer 3 interface. The active peer in the HA pair secures traffic that is routed to it from guests that are deployed on a different Linux server.