Fortinet white logo
Fortinet white logo

VMware ESXi Administration Guide

Enhancing FortiGate-VM performance with DPDK and vNP offloading

Enhancing FortiGate-VM performance with DPDK and vNP offloading

DPDK and vNP enhance FortiGate-VM performance by offloading part of packet processing to user space while using a kernel bypass solution within the operating system. You must enable and configure DPDK with FortiOS CLI commands.

FortiOS 7.4 supports DPDK for VMware ESXi environments.

FortiOS 7.4 supports IPv6.

The current DPDK+vNP offloading-capable version of FortiOS only supports FortiGate instances with multiple vCPUs. Minimum required RAM sizes differ from those on regular FortiGate-VM models without offloading. Allocating as much RAM size as the licensed limit for maximum performance, as shown, is recommended. FortiOS 7.4 does not restrict RAM size by license. Therefore, you can allocate as much memory as desired on 7.4-based DPDK-enabled FortiGate-VMs:

Model name

RAM size (licensed limit)

FG-VM02(v)

No restriction

FG-VM04(v)

No restriction

FG-VM08(v)

No restriction

FG-VM16(v)

No restriction

FG-VM32(v)

No restriction

You can enable DPDK up to 64 vCPUs.

Note

FortiOS supports encrypted traffic for IPsec VPN and not for SSL VPN. Disabling the DPDK option using the CLI or adopting regular FortiGate-VM builds is recommended when using SSL VPN features. For encrypted traffic support for IPsec VPN with DPDK, FortiOS also adds support for the following:

  • CBC cipher suite
  • Increasing maximum number of IPsec VPN tunnels
  • Terminating tunnel on LAG
Note

Enabling DPDK+vNP offloading may result in fewer concurrent sessions when under high load than when DPDK+vNP offloading is not enabled and the same FortiGate-VM license is used.

Note

Enabling DPDK in polling mode results in high CPU usage.

Enhancing FortiGate-VM performance with DPDK and vNP offloading

Enhancing FortiGate-VM performance with DPDK and vNP offloading

DPDK and vNP enhance FortiGate-VM performance by offloading part of packet processing to user space while using a kernel bypass solution within the operating system. You must enable and configure DPDK with FortiOS CLI commands.

FortiOS 7.4 supports DPDK for VMware ESXi environments.

FortiOS 7.4 supports IPv6.

The current DPDK+vNP offloading-capable version of FortiOS only supports FortiGate instances with multiple vCPUs. Minimum required RAM sizes differ from those on regular FortiGate-VM models without offloading. Allocating as much RAM size as the licensed limit for maximum performance, as shown, is recommended. FortiOS 7.4 does not restrict RAM size by license. Therefore, you can allocate as much memory as desired on 7.4-based DPDK-enabled FortiGate-VMs:

Model name

RAM size (licensed limit)

FG-VM02(v)

No restriction

FG-VM04(v)

No restriction

FG-VM08(v)

No restriction

FG-VM16(v)

No restriction

FG-VM32(v)

No restriction

You can enable DPDK up to 64 vCPUs.

Note

FortiOS supports encrypted traffic for IPsec VPN and not for SSL VPN. Disabling the DPDK option using the CLI or adopting regular FortiGate-VM builds is recommended when using SSL VPN features. For encrypted traffic support for IPsec VPN with DPDK, FortiOS also adds support for the following:

  • CBC cipher suite
  • Increasing maximum number of IPsec VPN tunnels
  • Terminating tunnel on LAG
Note

Enabling DPDK+vNP offloading may result in fewer concurrent sessions when under high load than when DPDK+vNP offloading is not enabled and the same FortiGate-VM license is used.

Note

Enabling DPDK in polling mode results in high CPU usage.