VM-Series
Deployment
Guide
11
Set Up a VM-Series Firewall on an ESXi Server
System Requirements and Limitations
System Requirements and Limitations
This section lists requirements and limitations for the VM-Series firewall.
Requirements
You can create and deploy multiple instances of the VM-Series firewall on an ESXi server. Because each instance
of the firewall requires a minimum resource allocation—number of CPUs, memory and disk space—on the
ESXi server, make sure to conform to the specifications below to ensure optimal performance.
The VM-Series firewall has the following requirements:
VMware ESXi with vSphere 4.1 and 5.0.
Minimum of two vCPUs per VM-Series firewall. One will be used for the for the management plane and one
for the dataplane. You can add up to eight additional vCPUs for the dataplane in the following increments:
2, 4, or 8 vCPUs.
Minimum of two network interfaces (vmNICs). One will be a dedicated vmNIC for the management
interface and one for the data interface. You can then add up to eight more vmNICs for data traffic.
The VM-Series firewall requires that promiscuous mode is set to “accept” on the port group of the virtual
switch to which the data interfaces on the firewall are attached.
Minimum of 4GB of memory for all models except the VM-1000-HV, which needs 5GB. Any additional
memory will be used by the management plane only. If you are applying the VM-1000-HV license, see
How
do I modify the base image file for the VM-1000-HV license?
Minimum of 40GB of virtual disk space. You can add an additional disk of up to 2TB for logging purposes.
Limitations
The VM-Series firewall functionality is very similar to the Palo Alto Networks hardware firewalls, but with the
following limitations:
Dedicated CPU cores are required.
Only High Availability (HA) lite is supported (active/passive with no stateful failover).
High Availability (HA) Link Monitoring is only supported on VMware ESXi installations that support
DirectPath I/O.
Up to 10 total ports can be configured; this is a VMware limitation. One port will be used for management
traffic and up to 9 can be used for data traffic.
Only the vmxnet3 driver is supported.
Virtual systems are not supported.
vMotion is not supported.