I just thought I would reply back to my own thread with what my team and I have come up with. While I have marked this as "Solved", don't get too excited; it is not exactly the resolution we were looking for, but is acceptable nonetheless. After some further digging around, we found that it is possible to pass hardware (including a NIC) through to a guest. Unfortunately, this renders the guest unable to be migrated to another host automatically. In a single-server setup (which many of our clients' setups are via VMware, currently0, this would not make a difference, since there is no other host to migrate to anyway. Son in those cases, not much changes. For multi-server setups, we have two choices: 1.) Forgo the virtual firewall and purchase a "Lanner" or similar hardware to install the firewall onto. Since a multi-server setup (at least two server + SAN) typically runs a minimum of $10K-$15K in hardware alone, an addition $300 or so for the "Lanner" (or similar hardware) would not increase the overall cost of the project in a significant way. (This option could of course be used in a single-server setup as well, but hardware cost is usually more of a factor with these setups for our clients) 2.) Setup a firewall guest on two of the hosts, and configure them in an active-passive fashion. As long as both of the hosts with the firewall VMs do not go down at the same time, then there should not be an issue. If a host with a firewall VM goes down, the other firewall VM will take over. So, those are the "work-arounds" that we have come up with (nothing new to anyone here, I am sure) until such time as "OpenVSwitch" gets adopted into oVirt/RHEV as either an easy-to-enable option, or as the standard/default switch. Anyway, this post was really more of a "closure" post so anyone coming across this thread in the future does not wonder what the ultimate outcome was. :-) -Alan