No VMotion around virtual or physical firewalls, please

Chris Hoff’s BlackHat presentation titled “The Four Horsemen of the Virtualization Apocalypse” was described here by Ellen Messmer to Chris’ dislike. Her spin may have been slightly too negative, but in any case she reports interesting points, among them Chris’ comment that it just won’t work if you VMotion a virtual firewall (VFW). While Chris is right in general, moving a VFW will in fact work in some simple corner cases, basically when both locations are indistinguishable in networking terms (same subnet, same VLANs, no NAT on the VFW itself etc.). So you can VMotion a firewall, but just a little bit … if you are not so lucky all hell breaks lose.

What’s more worrying is that all the same problems will happen if you VMotion any VM in presence of any firewall (virtual or physical): either you VMotion between two locations that are identical in terms of routing, VLANs etc. or you are in trouble. Any relative motion between firewall and VM will create the same troubles.

The really revealing bit about Chris’ comment is that most VMware deployments are still so simple that all VMotion happens in the simple corner cases. So don’t get too close to your firewall when you do VMotion.

ps. I have, of course, my own agenda here.


Tags: ,

5 Responses to “No VMotion around virtual or physical firewalls, please”

  1. Christofer Hoff Says:


    Not sure if you attended my presentation, but Ellen got much more than just the sensationalistic phrasing wrong — a LOT more.

    Specifically, her summary missed the point and context regarding what I said in regards to functionality like vMotion; I used the virtualizing the DMZ example from VMware’s latest whitepaper to illustrate many points.

    You are, of course, quite correct in your corner-case vmotion example…but that corner case actually proves my point: as we move into environments wherein we virtualize representative virtualized versions of our physical environments, these marketing-slick corner cases aren’t relevant…


  2. Christofer Hoff Says:

    …also, I hinted at some of this in June when I wrote this blog “The Final Frontier(?): Virtualizing the DMZ:”

  3. Tom Ludwig Says:


    I did not see your presentation but the impression that Ellen Messmer got something wrong was distinct. It seemed unlikely that you would turn into an anti-virtualization activist. To be fair to her, it feels as if she was giving you top billing in her BlackHat summary because she wanted to promote your ideas. That certainly did not work out for you …

    I was reflecting on the “You cannot VMotion firewalls” angle (that she rpesented correclty as far as I can see and that was already present in your “Four Horseman” post in April). It gels with my experience that any VM that VMotions around a firewall (or in any non-trivial network configuration) creates complexity.

    I completely agree that none of the current virtualized environments reflect networking or security best practice (mostly not even decent practice). But getting to the “representative virtualized versions of physical environments” you mention is a very interesting challenge.

    In any case I look forward to the BlackHat charts that I just downloaded.

  4. Christofer Hoff Says:


    ‘preciate the perspective.

    Here’s an interesting anecdote to our conversation. If you look at the release notes for Check Point’s new VPN-1 VE (virtual edition,) even though they’ve made great strides with the solution in the areas of OVF support for installation, HA/LB, etc., the one line in the “known limitations” section of the release note you may be interested in is this:

    VMotion is not supported.


    We’re on the same page, it’s just that the ink’s not dry in my book yet 😉


  5. Tom Ludwig Says:


    it’s hilarious. I was just writing a post about your Check Point post from yesterday. No, I had not seen the small print about VMotion. And yes, I find it very interesting.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: