Set up a virtual Airwall Gateway in VMware ESX/ESXi

This section contains instructions to install a virtual Airwall Gateway on the ESXi/ESX (VMware) platform.

Prerequisites

Required licenses
An Airwall 300v license for each virtual Airwall Gateway you are setting up.

You will also need:

  • An existing installation of VMware ESX/ESXi server version 6.5.0 and later
  • An Airwall Gateway OVA
  • The Conductor you are connecting to configured and available

System Requirements

The following VMware ESX/ESXi server hardware is required:

Processor
  • Minimum requirement of a single processor with hyper-threading support, VT-x technology, and 64-bit architecture.
  • Optimum configuration is minimum 4 processing cores with hyper-threading support, VT-x technology, 64-bit architecture, and AES-NI enabled in the host's BIOS.
Virtual image

Below are the minimum configuration requirements available for a virtual Conductor or Airwall Gateway image:

Platform Memory Disk
Conductor 4GB 120GB*
Airwall Gateway 1GB 1GB*

* Already included in the default OVA package

Port Group Configuration

By default, a virtual Airwall Gateway OVA image comes with two network interfaces.

Attach each interface to its own port group:
  • Port 1 functions as the underlay network
  • Port 2 functions as the overlay network

The virtual Airwall Gateway is expandable up to 6 ports. You can configure one port for HA heartbeats with the HA role.

Security configuration

VMware port groups have default security settings inherited from their parent virtual switch. The following port group security settings should be changed to Accept:

Note: These changes only need to be made on the port group associated with the overlay device network port group.
  • Promiscuous Mode
    • Allows virtual interface adapters connected to this port group to see all Ethernet frames passed on the virtual switch that are allowed under the VLAN policy for the port group.
  • Forged Transmits
    • Allows virtual machines to send frames with a MAC Address that is different from the one specified on the virtual interface.

VLAN configuration

  • Set VLAN type to VLAN
  • Set a VLAN ID unique to this Airwall Gateway overlay device network and protected device
Note: Because virtual Airwall Gateway port groups function as logical groups and not independent network groups, you must set a unique VLAN for each port group attached to an Airwall Gateway.

To deploy the virtual image

Please check your VMware documentation for the most recent instructions.

  1. Download the Airwall x86_64 OVA (ESXi) file from Latest firmware and software.
  2. Deploy a new OVF template from within ESXi using the downloaded OVA file. For most deployments, you can keep the default settings.
  3. Give the virtual machine a unique name and select its storage location.
  4. Map the virtual machine's network interfaces with the correctly assigned port groups for the Airwall Gateway.
  5. Set Disk provisioning to Thin Provisioned.
  6. Verify your configuration, check Power on after deployment, and then select Finish to begin the update.

Configure a running Airwall Gateway in VMware ESX/ESXi

Once the Airwall Gateway virtual image is successfully running, you can configure the unit to connect to Conductor. The underlay network interface (port 1) defaults to a DHCP-configured interface.

  1. In the vSphere ESXi client, select one of the console links:

    vSphere Airwall Gateway virtual machine page showing console links

    Launch Web Console opens in a new tab in the browser. Launch Remote Console opens in a desktop app that you may need to install.

  2. On the Airwall Gateway, log in to Airshell with name: airsh, and no password (2.2.8 and later).
  3. You can either determine the IP address for port 1, or manually set it:
    • To determine the IP address assigned to port 1, at the Airshell prompt, enter status network:
      airsh> status network
    • To manually set the IP address for port 1, from the console prompt, enter conf network and select 1 to configure the IP. For more help, see Configure Port Groups with Airshell:
      airsh> conf network
  4. Configure the Conductor using conductor set followed by the address and port. For example:
    airsh> conductor set my-conductor.tempered