Fortinet white logo
Fortinet white logo

KVM Administration Guide

Hypervisor and OS tuning

Hypervisor and OS tuning

The kernel component of KVM has been included in mainline Linux since version 2.6.20. The userspace component of KVM has been included mainline QEMU as of 1.3. The solution discussed uses both KVM components, and a tool called “virsh” to manage virtual machines. However, later versions are used.

You should consult the FortiOS Release Notes to determine the Fortinet recommendations on Linux versions. This document includes the steps taken on Red Hat Enterprise Linux 8 to create a performant FortiGate-VM deployment. This provides an outline of the steps needed on any KVM-based deployment, regardless of Linux choice.

Note

As Fortinet does not provide support for the hypervisor nor the OS, a deviation from the release note recommendations should not cause concern. However, Fortinet expertise may not be as fluent in these circumstances.

The NIC is probably the most important consideration to achieve a performant firewall. Handling network I/O correctly and efficiently is of great importance. The main considerations, which will be covered in more detail later in the document, are:

  • Traffic NICs should support SR-IOV. PCI-passthrough may be an alternative option but has little flexibility.
  • Avoid OEM NICs. For example, a Dell-branded Intel XXV710 NIC may not have the required firmware version available to achieve a working solution.
  • The number of NIC ports and thus the number of network queues/buffers used for traffic is important when considering a FortiGate-VM deployment without vSPU. Allow effective use of the CPUs.
Note

The kernel, QEMU, virsh, and NIC vendor and firmware/driver versions are typically outside of the deployment scope for Fortinet. However, they are important to achieve a stable and performant solution. Therefore, you should take due caution around the version choices to select these optimally. These items will be the first things to check if the performance is suboptimal or if, in fact, the deployment is unexpectedly not functioning as designed.

Hypervisor and OS tuning

Hypervisor and OS tuning

The kernel component of KVM has been included in mainline Linux since version 2.6.20. The userspace component of KVM has been included mainline QEMU as of 1.3. The solution discussed uses both KVM components, and a tool called “virsh” to manage virtual machines. However, later versions are used.

You should consult the FortiOS Release Notes to determine the Fortinet recommendations on Linux versions. This document includes the steps taken on Red Hat Enterprise Linux 8 to create a performant FortiGate-VM deployment. This provides an outline of the steps needed on any KVM-based deployment, regardless of Linux choice.

Note

As Fortinet does not provide support for the hypervisor nor the OS, a deviation from the release note recommendations should not cause concern. However, Fortinet expertise may not be as fluent in these circumstances.

The NIC is probably the most important consideration to achieve a performant firewall. Handling network I/O correctly and efficiently is of great importance. The main considerations, which will be covered in more detail later in the document, are:

  • Traffic NICs should support SR-IOV. PCI-passthrough may be an alternative option but has little flexibility.
  • Avoid OEM NICs. For example, a Dell-branded Intel XXV710 NIC may not have the required firmware version available to achieve a working solution.
  • The number of NIC ports and thus the number of network queues/buffers used for traffic is important when considering a FortiGate-VM deployment without vSPU. Allow effective use of the CPUs.
Note

The kernel, QEMU, virsh, and NIC vendor and firmware/driver versions are typically outside of the deployment scope for Fortinet. However, they are important to achieve a stable and performant solution. Therefore, you should take due caution around the version choices to select these optimally. These items will be the first things to check if the performance is suboptimal or if, in fact, the deployment is unexpectedly not functioning as designed.