The VM-Series firewall functionality is very similar
to the Palo Alto Networks hardware firewalls, but with the following limitations:
Do not use the VMware snapshots functionality on the
VM-Series on ESXi. Snapshots can impact performance and result in
intermittent and inconsistent packet loss.See the VMware best practice
recommendation for using snapshots.
need configuration backups, use Panorama, or from the firewall, use
named configuration snapshot
(Device > Set up > Operations).
Export named configuration snapshot
the firewall’s active configuration (
and allows you to save it to any network location.
Dedicated CPU cores are recommended.
High Availability (HA) Link Monitoring is not supported on
VM-Series firewalls on ESXi. Use Path Monitoring to verify connectivity
to a target IP address or to the next hop IP address.
Up to 10 total ports can be configured; this is a VMware
limitation. One port is used for management traffic and up to 9
can be used for data traffic.
Only the vmxnet3 driver is supported.
Virtual systems are not supported.
vMotion of the VM-Series firewall is not supported. However,
the VM-Series firewall can secure guest virtual machines that have
migrated to a new destination host, if the source and destination
hosts are members of all vSphere Distributed Switches that the guest
virtual machine used for networking.
Forged transmit and promiscuous mode must be enabled on the
ESXi vSwitch port groups connected to Layer 2 and vwire interfaces
on the VM-Series firewall.
To use PCI devices with the VM-Series firewall on ESXi, memory
mapped I/O (MMIO) must be below 4GB. You can disable MMIO above
4GB in your server’s BIOS. This is an ESXi limitation.