After you have MI (Multi-Instances) enabled in the RI (Root Instance), then we can configure and launch the multiple instances. Each instance is an independent virtual firewall with its own routing table, policy configuration, licenses and security services. Licenses of Multi-instances are inherited from the Root Instance. Say you are using Deep Packet Inspection (DPI) and the root instance had acquired a DPI license before adding the Multi-Instance, then the Multi-Instance does not need further operations, it already has this license. When adding the Multi-Instance first, the root instance acquires the DPI license, and then the Multi-Instance must be manually synchronized with the DPI license to the Root Instance by clicking Sync on the License screen. Each instance can be configured with the required number of cores based on the use case. Currently, we support up to eight Data Path (DP) cores maximum for each virtual firewall and two (Control Path) CP cores per virtual firewall. Each instance virtual firewall is accessed through its DHCP-enabled X1 WAN interface. The instance user interface is accessed by way of X0 as well, when an instance’s X0 mapping is setup with an accessible static IP, gateway, subnet, is accessible to the RI front panel port, and VLAN mapping is properly set.
Each instance virtual firewall can be accessed through its DHCP-enabled X1 WAN interface or Static X1 WAN interface.
The following figure shows the multi-instance screen with five instances added.
The Root Instance (RI) serves as the console through which all the instances are deployed. RI allows the user to add instances, start the service, stop the service and delete the instance. Each instance added through the Add Instance dialog is stored in the RI. This allows the user to add as many instances as possible, however, there is a limit on the number of instances that are launched because of CPU core and license availability.
In order to add an instance, click Multi-Instance | Instances, and then click +Add. A dialog box pops-up.
There is a limit on the number of instances that can be launched because of CPU core availability and total Instance Licenses available in the system.
Before completing this step, upload the Instance Firmware from the Multi-Instance > Firmware page. A typical Multi-Instance setup work flow is:
Enable Multi-Instances
Add Instance Dialog Box
In the +Add dialog, all the fields must be populated:
When completed, click Next, the dialog moves to the interface mapping stage:
Setup interfaces for the instance by mapping each X0, X1, X2...X7 to a physical interface from the drop-down menu. The drop-down menu shows only those front panel ports that were reserved for instances. For each interface, provide a unique VLAN. In setting VLAN IDs:
Each instance can be configured with a default X0 IP address and default X1 IP (static/DHCP).
After configuration is complete, click Next.
In order to launch the instance, click Start on the Actions drop-down menu. The instance can be stopped using Stop and restarted using Reboot.
To change the configuration of an instance
Stop and Edit buttons under Action on Instance Display
The firmware for launching the instances has to be pre-loaded using the RI. On the DEVICE | Multi-Instance > Firmware page upload the ACI file as shown.
Uploading Instance Firmware
After the file is uploaded, the firmware appears as a choice in the Add/Edit Instance dialog.
The instance firmware is not the same as the root firewall firmware. This instance firmware is exclusive to instances only.
After the upload is successful, the installation takes about two ~ five minutes. You should wait until the Status column appears Inactive in the Instance firmware page.
The steps for upgrading firmware for an instance are:
To Upgrade Instance Firmware