Let me suggest not virtualizing firewalls, because a multitude of extra things can go wrong on cold-startup. Like VMs not starting because storage took a while longer and you didn't bother to automate recovery in some VMware solution. Wrong defaults on boot that no longer let pass PPPoE frames out an interface. Booting firewall VM on a cluster host that does not have the DSL modem or fiber link connected. Misconfigured switch topologies, etc. pp. Also think of lightning. Virtualized firewall means something going to your house like two copper wires will need to be awefully close to your server electrically. If some cheap firewall hardware gets a port fried, oh well, use the cold standby. Of course you could always build a 4G/5G back-entry with a separate router, but who does. Once power or the link comes back, the firewall has to come back up and forward packets. Overly complicated setups here are the enemy of reliability.
With regard to state level actors, the trick in 99.999% of cases is to not be a target in the first place. I.e. if Snowden were to drop another cache, don't download it or participate in a torrent. Just don't. Same with some 1.9M entry no-fly list that someone downloaded from the FBI. Others will, and report on findings. Because didn't you suspect since at least 2013 anyway, that every packet of data from your premises to the outside is fair game to really anybody who cares? Maybe you're a journalist for hot topics that aggravates people in power? I suggest to learn a different profession, because your employer can't and won't protect you, their duty is to sale of ads and make payroll. Same with arms or drug trafficking, just get a job at the CIA and do it legally. /sarcasm In the very unlikely event that you are on some kind of jihad, well can't help you with that, son. But those are the groups of people that should concern themselves with "state level actors". Are you among them? (I guess the last one is a trick question)
Anyhow. Protecting against well-funded state level actors is pretty much impossible, as long as you are connected to the outside world. Because anything and everything has flaws that could be exploited, if you are a high enough value target. The Empire has deep enough pockets to just buy any exploit for whatever device you have. Or let somebody else buy it and use it for them, see Pegasus in recent news. From the Qualcomm baseband in your phone, to your Chromium-based browser, to that Windows app which keeps downloading and installing unsigned binaries, to that device you have which keeps installing signed drivers but which have a gaping hole allowing anybody to be SYSTEM.
Btw ESXi is used by state-level actors in some "diode" aka malicious packet injection traffic redirection setups, going by reports in The Guardian from back 2013 or 2014. Edward told them. All in all seems pretty tight, if you patch known flaws regularly I guess. Really the least of your worries, they sell to governments alot and malicious backdoor would put them out of business. They are still in business and even Dell couldn't change that.
My personal opinion on firewalls is, that everything with a web GUI is doomed. The only externally reachable port open should be SSH on a non-standard port and from a whitelisted source ip range, and/or a single UDP port for OpenVPN or Wireguard. To fight falling victim to security theater monocultures, you should also roll your own firewall setup script on boot with Before=network-pre.target and DefaultDependencies=no if you are into systemd, and a stop command on the service that just does nothing. If you choose iptables, you could block on INPUT any new connections from the ISC SANS research list (hxxps://isc.sans.edu/api/threatcategory/research/?text) so your box almost never shows up on Shodan et.al. You should also block the most aggressive comrades from the dshield list (hxxps://isc.sans.edu/block.txt). Insert into ipsets and reload once a day after aggregate6.py treatment automatically. The solution you picked should also be able to block and log any device you have based on its MAC address never mind what protocol it uses, because what business does your wifi enabled light bulb or printer have reporting back to its true owner how you are using them? Many devices have no business talking with the Internet at all. If the product you choose has all that, very good, probably a keeper.
Did you also consider that most exploits these days are written for x86 (PCs, Macs) and ARM (Android, Apple)? These won't work on SPARC or POWER, providing extra protection through non-monocultural obscurity. A SPARC T2 server is only 500 fiat on ebay these days and nobody sane would write exploits for such a system these days. OpenBSD has a nice list: hxxps://www.openbsd.org/sparc64.html, Gentoo also has a nice selection of supported architectures. My ranking from vulnerable to more secure would be: x86 < ARM < MIPS64 (Octeon) < POWER8/9 (IBM or Raptor) < SPARC (Sun/Oracle).