Fortinet black logo

New Features

Isolate CPUs used by DPDK engine 7.0.2

Copy Link
Copy Doc ID 4f6cd3c1-22cb-11eb-96b9-00505692583a:96687
Download PDF

Isolate CPUs used by DPDK engine 7.0.2

To improve DPDK performance, the CPUs that are used by the DPDK engine can be isolated from other services, except for processes that have affinity explicitly set by either a user configuration or by their implementation.

config dpdk cpus
    set isolated-cpus <CPUs>
end

Input CPU IDs or ranges separated by commas, or none to not isolate CPUs for DPDK. For example, enter 1-3,5,6-9 to isolate CPUs 1,2,3,5,6,7,8, and 9.

Both the lower and upper bounds of a range must be explicitly specified. The range of isolated CPU IDs is [1-0], and CPU ID 0 is not allowed. The isolated CPU IDs must be DPDK enabled CPUs.

Reserving CPUs for DPDK may not always produce optimal performance. Users should experiment with a combination that works best for their deployment. For example, on a FortiGate VM with eight CPUs, the following configurations could be used to optimize different deployments:

To optimize CPS with logging to disk (session/sec):
config dpdk cpus
    set rx-cpus "1-1"
    set vnp-cpus "1-7"
    set ips-cpus "1-7"
    set tx-cpus "1-7"
    set isolated-cpus "1-7"
end
To optimize proxy antivirus performance:
config dpdk cpus
    set rx-cpus "1-5"
    set vnp-cpus "1-5"
    set ips-cpus "1-5"
    set tx-cpus "1-5"
    set isolated-cpus "1-5"
end
To optimize proxy DLP performance:
config dpdk cpus
    set rx-cpus "1-5"
    set vnp-cpus "1-5"
    set ips-cpus "1-5"
    set tx-cpus "1-5"
end

Isolate CPUs used by DPDK engine 7.0.2

To improve DPDK performance, the CPUs that are used by the DPDK engine can be isolated from other services, except for processes that have affinity explicitly set by either a user configuration or by their implementation.

config dpdk cpus
    set isolated-cpus <CPUs>
end

Input CPU IDs or ranges separated by commas, or none to not isolate CPUs for DPDK. For example, enter 1-3,5,6-9 to isolate CPUs 1,2,3,5,6,7,8, and 9.

Both the lower and upper bounds of a range must be explicitly specified. The range of isolated CPU IDs is [1-0], and CPU ID 0 is not allowed. The isolated CPU IDs must be DPDK enabled CPUs.

Reserving CPUs for DPDK may not always produce optimal performance. Users should experiment with a combination that works best for their deployment. For example, on a FortiGate VM with eight CPUs, the following configurations could be used to optimize different deployments:

To optimize CPS with logging to disk (session/sec):
config dpdk cpus
    set rx-cpus "1-1"
    set vnp-cpus "1-7"
    set ips-cpus "1-7"
    set tx-cpus "1-7"
    set isolated-cpus "1-7"
end
To optimize proxy antivirus performance:
config dpdk cpus
    set rx-cpus "1-5"
    set vnp-cpus "1-5"
    set ips-cpus "1-5"
    set tx-cpus "1-5"
    set isolated-cpus "1-5"
end
To optimize proxy DLP performance:
config dpdk cpus
    set rx-cpus "1-5"
    set vnp-cpus "1-5"
    set ips-cpus "1-5"
    set tx-cpus "1-5"
end