IBM Cloud Docs
Known limitations with Hardware Firewall

Known limitations with Hardware Firewall

Review limitations when you work with your Hardware Firewall.

A Hardware Firewall cannot be deployed to a server on a VLAN that meets any of the following criteria.

  • Is associated with a Network Gateway, Hardware Firewall, or FortiGate Security Appliance.
  • Contains 30 or more servers.
  • Has a primary subnet that is larger than a /28.
  • Contains a bare-metal server that hosts a gateway, such as a Juniper vSRX or VRA, as these servers are deployed on a transit VLAN.

In these instances, a new VLAN must be established for the Firewall or another product must be selected.

Further limitations for the Hardware Firewall include:

  • Portable subnets are not protected
  • Not available for 10 Gb servers
  • Maximum of 79 firewall rules per Hardware Firewall
  • Incompatible with Windows network load balancing due to the way ARP is processed
  • The rule destination subnet is limited to the public IP of the protected server.
  • The VLAN for the primary public IP that is protected by the hardware firewall cannot be associated or routed through another gateway, such as a Juniper vSRX or VRA.