Configuration of Master NGFW Engines and Virtual NGFW Engines

Master NGFW Engines are physical devices that provide resources for multiple Virtual NGFW Engines.

Using Virtual NGFW Engines allows the same physical engine device to support multiple policies or routing tables, or policies that involve overlapping IP addresses. This is especially useful in a Managed Security Service Provider (MSSP) environment, or in a network environment that requires strict isolation between networks.

A Virtual Resource element defines the set of resources on the Master NGFW Engine that are allocated to a Virtual NGFW Engine. Virtual Resource elements associate Virtual NGFW Engines with Physical Interfaces or VLAN Interfaces on the Master NGFW Engine.

Virtual NGFW Engines associated with the same Master NGFW Engine can belong to different administrative Domains. However, the Master NGFW Engine must either belong to the Shared Domain or to the same Domain as the associated Virtual NGFW Engines. For example, the Master NGFW Engine can belong to the Shared Domain, while each associated Virtual NGFW Engine belongs to a different Domain.

Any NGFW Engine that has a license that allows the creation of Virtual Resources can be used as a Master NGFW Engine.

Before you define a new Master NGFW Engine element, make sure that you have an NGFW Engine license for each Master NGFW Engine node. Virtual NGFW Engines do not require individual licenses. Instead, the NGFW Engine license for the Master NGFW Engine defines how many Virtual Resources can be created. The number of Virtual Resources limits the number of Virtual NGFW Engines: one Virtual NGFW Engine at a time can be associated with each Virtual Resource.

Protecting Virtual NGFW Engines

In the Virtual Resource, you can set the rate limit and throughput limit for the Virtual NGFW Engine. Setting the rate limit helps protect the other Virtual NGFW Engines by ensuring that a single Virtual NGFW Engine does not consume all the resources of a Master NGFW Engine.

Figure: Example of using rate limit and throughput limit for a Virtual Firewall



1
In the properties of the Master NGFW Engine, open the Virtual Resource, then set the limits for the rate limit or throughput limit, or for both.
2
Refresh the policy on the Virtual NGFW Engine.
3
When incoming network traffic exceeds the rate limit, the packets are dropped. If a rate limit is defined, the limit must be much higher than the throughput limit.
4
When outgoing network traffic exceeds the throughput limit, the packets are queued. If there is a QoS Policy set for the Virtual NGFW Engine, the policy handles the prioritization as normal.

Limitations

The following limitations apply to Master NGFW Engines and Virtual NGFW Engines:
  • To use more than one Virtual NGFW Engine role, you must create a separate Master NGFW Engine for each Virtual NGFW Engine role. Each Master NGFW Engine must be on a separate physical Master NGFW Engine device.
  • Virtual Firewalls do not support dynamic IP addresses or Wireless Interfaces.
  • If there are multiple administrative Domains, the Master NGFW Engine must either belong to the Shared Domain or to the same Domain as the Virtual NGFW Engines.
  • Virtual NGFW Engines handle only the traffic routed through the Virtual NGFW Engine for inspection. All other traffic, including communication between the Virtual NGFW Engines and the SMC components, is proxied by the Master NGFW Engine. Virtual NGFW Engines do not communicate directly with other Virtual NGFW Engines.