Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

Hyperscale Firewall Guide

Creating hyperscale firewall VDOMs

VDOMs in which you will be enabling hyperscale firewall features must be created with a special VDOM name that also includes a VDOM ID. The VDOM ID is used by FortiOS to create a kernel VDOM_ID for the VDOM that NP7 processors use to track hyperscale firewall sessions for that VDOM.

Note

The number of hyperscale firewall VDOMs that you can create, depends on your hyperscale firewall license and is controlled by the following configuration option

config system global

set hyper-scale-vdom-num <vdom-id-num>

end

By default <vdom-id-num> is set to the maximum number of hyperscale VDOMs that the FortiGate is licensed for. You can manually change the <vdom-id-num> if you want to limit the number of hyperscale VDOMs that can be created. The <vdom-id-num> range is 1 to 250.

Use the following syntax to create a hyperscale firewall VDOM:

config vdom

edit <name>-hw<vdom-id>

end

Where:

<name> is a string that can contain any alphanumeric upper or lower case characters and the - and _ characters. The name cannot contain spaces and you should not use -hw in the name.

<vdom-id> a VDOM ID number in the range from 1 to <vdom-id-num>. For example, if your FortiGate is licensed for 250 hyperscale firewall VDOMs, if you haven't used the hyper-scale-vdom-num option to change the number of hyperscale firewall VDOMs, <vdom-id> can be from 1 to 250. Each hyperscale firewall VDOM must have a different <vdom-id>.

When you add a new hyperscale firewall VDOM with a <vdom-id>, FortiOS calculates the kernel VDOM_ID using the following formula:

kernel VDOM_ID = 501 - <vdom-id>

If you include leading zeros in the <vdom-id>, the kernel removes them when creating the ID. So avoid using leading zeros in the <vdom-id> to keep from accidentally creating duplicate IDs.

The VDOM name, including the <string>, -hw, and <vdom-id> can include up to 11 characters. For example, the VDOM name GCN-1-hw23 is valid but GCN-1234-hw23 is too long.

When you create a new hyperscale firewall VDOM, the CLI displays an output line that includes the VDOM name followed by the kernel VDOM_ID. For example:

config vdom

edit Test01-hw150

current vf=Test01-hw150:351

In this example, the kernel VDOM_ID is 351.

Another example:

config vdom

edit Test02-hw2

current vf=Test02-hw2:499

In this example, the kernel VDOM_ID is 499.

When you create a VDOM from the CLI, the new hyperscale VDOM becomes the current VDOM. The new hyperscale firewall VDOM may not appear in the VDOM list on the GUI until you log out of the GUI and then log back in.

Creating hyperscale firewall VDOMs

VDOMs in which you will be enabling hyperscale firewall features must be created with a special VDOM name that also includes a VDOM ID. The VDOM ID is used by FortiOS to create a kernel VDOM_ID for the VDOM that NP7 processors use to track hyperscale firewall sessions for that VDOM.

Note

The number of hyperscale firewall VDOMs that you can create, depends on your hyperscale firewall license and is controlled by the following configuration option

config system global

set hyper-scale-vdom-num <vdom-id-num>

end

By default <vdom-id-num> is set to the maximum number of hyperscale VDOMs that the FortiGate is licensed for. You can manually change the <vdom-id-num> if you want to limit the number of hyperscale VDOMs that can be created. The <vdom-id-num> range is 1 to 250.

Use the following syntax to create a hyperscale firewall VDOM:

config vdom

edit <name>-hw<vdom-id>

end

Where:

<name> is a string that can contain any alphanumeric upper or lower case characters and the - and _ characters. The name cannot contain spaces and you should not use -hw in the name.

<vdom-id> a VDOM ID number in the range from 1 to <vdom-id-num>. For example, if your FortiGate is licensed for 250 hyperscale firewall VDOMs, if you haven't used the hyper-scale-vdom-num option to change the number of hyperscale firewall VDOMs, <vdom-id> can be from 1 to 250. Each hyperscale firewall VDOM must have a different <vdom-id>.

When you add a new hyperscale firewall VDOM with a <vdom-id>, FortiOS calculates the kernel VDOM_ID using the following formula:

kernel VDOM_ID = 501 - <vdom-id>

If you include leading zeros in the <vdom-id>, the kernel removes them when creating the ID. So avoid using leading zeros in the <vdom-id> to keep from accidentally creating duplicate IDs.

The VDOM name, including the <string>, -hw, and <vdom-id> can include up to 11 characters. For example, the VDOM name GCN-1-hw23 is valid but GCN-1234-hw23 is too long.

When you create a new hyperscale firewall VDOM, the CLI displays an output line that includes the VDOM name followed by the kernel VDOM_ID. For example:

config vdom

edit Test01-hw150

current vf=Test01-hw150:351

In this example, the kernel VDOM_ID is 351.

Another example:

config vdom

edit Test02-hw2

current vf=Test02-hw2:499

In this example, the kernel VDOM_ID is 499.

When you create a VDOM from the CLI, the new hyperscale VDOM becomes the current VDOM. The new hyperscale firewall VDOM may not appear in the VDOM list on the GUI until you log out of the GUI and then log back in.