Some best practices to be aware of before deploying MOVEit WAF on VMware are below:

  • Configure an existing or new load balancing port group for the relevant VLAN to avoid port flooding
  • Use the VMXNET3 network adapter type when deploying the virtual machine
Note: Reordering happens only when using 4 or more VMNET3 network adapters. This issue does not occur if using e1000 network adapters.

  • When using High Availability (HA), ensure that MAC address changes and Forged transmits are both set to Accept. Ensure this is forced (hard coded) on the port group as any changes to the vSwitch will affect all port groups by default.
    Note: Starting with vSphere version 7.0, the default values for MAC Address Changes and Forged Transmits are set to Reject by default; in previous vSphere releases, these parameters were set to Accept by default. While it has always been a step in the VMware HA configuration process to ensure that these parameters are set to Accept for MOVEit WAF, extra care will need to be taken with vSphere version 7.0 and later releases. To mitigate against any security concerns about changing these default values, create a separate management plane subnet for MOVEit WAF HA using a dedicated vSwitch or separate port groups.

  • When using HA and the MOVEit WAF machines are on different hosts: to prevent the transmission of RARP packets from being sent every time a Virtual Machine is powered on, set the Notify Switches option to No.
Note: vMotion and snapshotting are not supported.