First vShield Zones is different than VMsafe. The way I understand it is the vShield Zones is like your border security but inside of the vSphere. It divides and segregates networks and virtual machines. The VMsafe is end point protection built into the kernel. Reflex has the first VMsafe certified appliance but I have not had a chance to try it yet. (Need more hardware hint hint)

The User Guide talks about downloading an appliance but you actually download an ISO then run an installer that unzips a folder with the 2 appliances. One is the vShield Zones Manager and the other is the actual firewall. The extra step of using the ISO image was annoying buy I guess I am just a whiner. On a super basic level, (I am not here to re-write the user guide) Import the appliance for the manager then import the firewall. Convert the firewall into a template. The Manager appliance takes care of the rest. Note: Internet Explorer 8 and the Manager Web UI don’t work. I used IE 7 just fine.

1. You won’t get this far in IE8
2. Deploying the vShield is straight forward. It creates new vSwitches and port groups and the Manager UI indicates which network is protected and unprotected. This is not in Virtual Center still in the Web Interface.
3. 
4. As you deploy the vShield enjoy watching the tasks in vCenter.
   

All things considered it is a good product I don’t have enough throughput on my little lab machine to really test any impact using vShields would have on performance. If you are a Service Provider I think it would be a great add on to ensure some separation of virtuals.

Related posts:

1. Upgrade to vSphere already
2. Secure to the Hosted VM
3. ESX Commands – esxcfg-firewall