10
VM-Series
Deployment
Guide
Supported Deployments
Set Up a VM-Series Firewall on an ESXi Server
Supported Deployments
You can deploy one or more instances of the VM-Series firewall on the ESXi server. Where you place the
VM-Series firewall on the network depends on your topology. Choose from the following options:
One VM-Series firewall per ESXi host
—Every VM server on the ESXi host passes through the firewall
before exiting the host for the physical network. VM servers attach to the firewall via virtual standard
switches. The guest servers have no other network connectivity and therefore the firewall has visibility and
control to all traffic leaving the ESXi host. One variation of this use case is to also require all traffic to flow
through the firewall, including server to server (east-west traffic) on the same ESXi host.
One VM-Series firewall per virtual network
—Deploy a VM-Series firewall for every virtual network. If
you have designed your network such that one or more ESXi hosts has a group of virtual machines that
belong to the internal network, a group that belongs to the external network, and some others to the DMZ,
you can deploy a VM-Series firewall to safeguard the servers in each group. If a group or virtual network
does not share a virtual switch or port group with any other virtual network, it is completely isolated from
all other virtual networks within or across the host(s). Because there is no other physical or virtual path to
any other network, the servers on each virtual network, must use the firewall to talk to any other network.
Therefore, it allows the firewall visibility and control to all traffic leaving the virtual (standard or distributed)
switch attached to each virtual network.
Hybrid environment
—Both physical and virtual hosts are used, the VM-Series firewall can be deployed in
a traditional aggregation location in place of a physical firewall appliance to achieve the benefits of a common
server platform for all devices and to unlink hardware and software upgrade dependencies.