Get the Most out of Your Security Appliance with Multi-Instance


Most enterprises, colleges and universities, government agencies and MSSPs have deployed a number of stand-alone appliances to segment and secure different departments, data centers and customers over the years. Even though this type of deployment offers needed security, it creates operational and management complexities. In order to improve operational efficiency while dealing with constant changes to IT and network infrastructure, security professionals need to look at more efficient ways to deploy security appliances.

To help our customers increase efficiency and get most out of their security appliances, SonicWall has added multi-instance capability to our latest NSsp 15700 high-end firewall. Here’s how our newest feature will work, and how it compares with its predecessors.

Traditional way of doing things: Multi-tenant

Apart from deploying multiple standalone appliances to achieve segmentation and secure different entities, customers can also use multi-tenant technology. Multi-tenant allows security professionals to logically segment one instance into multiple virtual firewalls on a single security appliance. Those virtual firewalls will share the same physical resources available on the security appliance, such as CPU, memory, and interfaces. Although this method allows improved operational efficiency and the ability to deploy more than one firewall on a single security appliance, it has some limitations:

  • Virtual firewalls need to have the same software version installed — they cannot have independent versions
  • Potential for hardware resource starvation if one of the logical firewalls is oversubscribed
  • Firewall management tenant is shared, leading to configuration limitations

Multi-instance: A new generation multi-tenant

SonicWall has taken a modern approach to legacy multi-tenant with its multi-instance feature, which uses containerized architecture. This new feature enables security professionals to run multiple independent firewall instances on a single security appliance. Each firewall instance is allocated its own hardware resources, including CPU, memory and interfaces, thereby removing any potential for resource starvation.

In a containerized architecture, each firewall instance gets its own container, so they truly act as independent firewalls. This means each instance can have its own version of software, allowing for independent software upgrades and reboots. Management of each instance is done separately for every entity in the enterprise, allowing for customized security policy configuration. Multi-instance firewalling also enables flexible physical and logical interface assignments, which in turn enables simple network configurations. The figure below depicts single- versus multi-instance architecture on a four-CPU physical appliance.

Figure 1: Multi-tenant shares resources between firewall tenants. FW2 is compromised, causing resource starvation for all FW tenants.Figure 2: Multi-instance allocates dedicated resources for each firewall instance. FW2 is compromised but isolated, allowing other instances to function normally.

Multi-instance versus multi-tenant

While the traditional multi-tenant architectures suffer from resource starvation and tenant failures, this is where SonicWall’s multi-instance architecture shines. The table below offers a high-level comparison between the multi-instance and multi-tenant approach.

Modern multi-instanceLegacy multi-tenant
Multiple firewalls on one appliance
Containerized architecture
Complete tenant isolation
Independant software versions
Independant management
Multi-service potential
Single tenant failure resistant
Resource starvation resistant
HA instances

Table 1: Multi-instance versus multi-tenant

Multi-instance firewall will initially be available on the new SonicWall NSsp 15700 in August 2020. SonicWall NSsp is powered by  SonicOSX, which includes many other new features such as unified policy, a new security management platform, new low-end appliance and more. To learn more about SonicWall NSsp, please visit

SonicWall Staff