I don't think it's a good idea either, but if they want to, they want to.
Personally I don't even think it's a good idea to run a firewall virtualized for real use (for home use, whatever).
for (power) home use this is a must have [[[[:)]]]] and I know what I'm talking about...
I prefer to have one box which run 24/24 and 7/7 with 5 or 6 VM running on it... than 3 or 4 boxes... [[[[:)]]]] (all that VM are not using whole CPUs...)
now in production there are severall interesting use of astaro products into VMs ! astaro is not only a firewall there are some other products which derived from ASG, ie Astaro Mail Gateway, Astaro Command Center, ... For the Mail Gateway this is really interesting to virtualize it... to have 3 or 4 Anti-Spam servers, ...
for the ASG itself, having one physical server and another virtualized ASG in failover mode is quite intersting option at low cost price... and finally for labs this is a must have... to test configs/things this is really a good thing... ok we don't really need paravirtualization for this but should be good enough if we want to do some load testing...
and I did not talked about all xen migration features... [[[[:)]]]]
personnally I would like to have this feature added... even if it's not officially supported...
I'm using xenserver in production and for home use since years... I know a lot about it... any usefull tricks, building kernels that are working great for ubuntu (laters...), things that works, things that does not work... so if you (at astaro side) need for extra testing on that xen side... I will be happy to participate... [[[[:)]]]]
ie: you can have trunked interface (VLANs) working under guest VM, only if the physical interface has no VLANs configured on the xenserver itself and if the guest is fully paravirtualized... so if you want to use vlans under an Asg VM, you need 2 interfaces on the xenserver (1 for admin and xenserver vlans and 1 set in trunk mode onto the switch port to use on the asg side to create vlans) and the VM needs to be paravirtualized.. don't forget you can only create about 8 vlans on xenserver which is a limitation in most of cases (in my case at least)...
