I wondered the same thing.

Virtual Firewalls on a Cisco 5585-X for example - are they Firewall Hardware (cmdb_ci_firewall_network) or IP Firewalls (cmdb_ci_ip_firewall)?

I'd guess that while Firewall Hardwares would usually have a serial number, IP Firewalls may not and therefore may be a better fit.

Both classes are derived from the Netgear class and both seem to have the exact same columns. (I don't currently have perms to see the columns available for each class despite being a discovery admin but I can see what columns are available in list format).

In our dev environment, I discovered a virtual firewall with the oid being classified as a Firewall Hardware. Then when discovery completed, I changed the oid to be classified as an IP Firewall and rediscovered it.

Looking at the History for that CI, the only difference I see from the second discovery is the Class change which is what I expected.

So - I guess they're fairly interchangeable but that 'Firewall Hardware' better suits a hardware device with a serial and IP Firewalls better suit anything else.

What for me would also be helpful is a way to relate a virtual firewall to the physical device or cluster that hosts it. I'm not sure there's any inbuilt way to do it and there doesn't seem to be any referencing oids in an snmpwalk of a virtual firewall and its host hardware/cluster.

They both extend Network Gear which extends Hardware, so... <shrug/>

I guess the best thing you can say is that out of box there are 131 SNMP OIDs for IP Firewall, and only 4 for Firewall Hardware.  So I'm going with IP Firewall!

We have a requirement to manage firewall rules, could this be done also with the CI-Type cmdb_ci_ip_firewall ?