Configuration of Master Engines and Virtual Engines

Master Engines are physical devices that provide resources for multiple Virtual Engines.

Using Virtual Engines allows the same physical engine device to support multiple policies or routing tables, or policies that involve overlapping IP addresses. This is especially useful in a Managed Security Service Provider (MSSP) environment, or in a network environment that requires strict isolation between networks.

A Virtual Resource element defines the set of resources on the Master Engine that are allocated to a Virtual Engine. Virtual Resource elements associate Virtual Engines with Physical Interfaces or VLAN Interfaces on the Master Engine.

Virtual Engines associated with the same Master Engine can belong to different administrative Domains. However, the Master Engine must either belong to the Shared Domain or to the same Domain as the associated Virtual Engines. For example, the Master Engine can belong to the Shared Domain, while each associated Virtual Engine belongs to a different Domain.

Any Engine that has a license that allows the creation of Virtual Resources can be used as a Master Engine.

Before you define a new Master Engine element, make sure that you have an Engine license for each Master Engine node. Virtual Engines do not require individual licenses. Instead, the Engine license for the Master Engine defines how many Virtual Resources can be created. The number of Virtual Resources limits the number of Virtual Engines: one Virtual Engine at a time can be associated with each Virtual Resource.

Protecting Virtual Engines

In the Virtual Resource, you can set the rate limit and throughput limit for the Virtual Engine. Setting the rate limit helps protect the other Virtual Engines by ensuring that a single Virtual Engine does not consume all the resources of a Master Engine.

Figure: Example of using rate limit and throughput limit for a Virtual Firewall



1
In the properties of the Master Engine, open the Virtual Resource, then set the limits for the rate limit or throughput limit, or for both.
2
Refresh the policy on the Virtual Engine.
3
When incoming network traffic exceeds the rate limit, the packets are dropped. If a rate limit is defined, the limit must be much higher than the throughput limit.
4
When outgoing network traffic exceeds the throughput limit, the packets are queued. If there is a QoS Policy set for the Virtual Engine, the policy handles the prioritization as normal.

Limitations

The following limitations apply to Master Engines and Virtual Engines:
  • To use more than one Virtual Engine role, you must create a separate Master Engine for each Virtual Engine role. Each Master Engine must be on a separate physical Master Engine device.
  • Virtual Firewalls do not support dynamic IP addresses or Wireless Interfaces.
  • If there are multiple administrative Domains, the Master Engine must either belong to the Shared Domain or to the same Domain as the Virtual Engines.
  • Virtual Engines handle only the traffic routed through the Virtual Engine for inspection. All other traffic, including communication between the Virtual Engines and the Secure SD-WAN Manager components, is proxied by the Master Engine. Virtual Engines do not communicate directly with other Virtual Engines.