Fortinet white logo
Fortinet white logo

Hyperscale Firewall Guide

Creating hyperscale firewall VDOMs

Creating hyperscale firewall VDOMs

VDOMs in which you will be enabling hyperscale firewall features must be created with a special VDOM name that also includes a VDOM ID. The VDOM ID is used by FortiOS to create a kernel VDOM_ID for the VDOM that NP7 processors use to track hyperscale firewall sessions for that VDOM.

Note

The number of hyperscale firewall VDOMs that you can create depends on your hyperscale firewall license and is controlled by the following configuration option:

config system global

set hyper-scale-vdom-num <vdom-id-num>

end

By default <vdom-id-num> is set to the maximum number of hyperscale VDOMs that the FortiGate is licensed for. You can manually change the <vdom-id-num> if you want to limit the number of hyperscale VDOMs that can be created. The <vdom-id-num> range is 1 to 250.

Use the following syntax to create a hyperscale firewall VDOM:

config vdom

edit <name>-hw<vdom-id>

end

Where:

<name> is a string that can contain any alphanumeric upper or lower case characters and the - and _ characters. The name cannot contain spaces and you should not use -hw in the name.

<vdom-id> a VDOM ID number in the range from 1 to <vdom-id-num>. For example, if your FortiGate is licensed for 250 hyperscale firewall VDOMs, if you haven't used the hyper-scale-vdom-num option to change the number of hyperscale firewall VDOMs, <vdom-id> can be from 1 to 250. Each hyperscale firewall VDOM must have a different <vdom-id>.

Note

If you don't use the format <name>-hw<vdom-id> when creating a hyperscale firewall VDOM, the CLI blocks you from setting the config system settings policy-offload-level option to full-offload. So this VDOM, can't operate as a hyperscale VDOM.

The CLI blocks you from creating a VDOM with a <vdom-id> that is outside the configured VDOM ID range as configured by the hyper-scale-vdom-num option. So you can't use this name format to create a normal VDOM with a <vdom-id> that is outside the configured VDOM ID range.

If you create a VDOM using the <name>-hw<vdom-id> naming convention, if you do not enable full-offload, the VDOM can operate as a normal VDOM, however this configuration is not recommended.

When you add a new hyperscale firewall VDOM with a <vdom-id>, FortiOS calculates the kernel VDOM_ID using the following formula:

kernel VDOM_ID = 501 - <vdom-id>

If you include leading zeros in the <vdom-id>, the kernel removes them when creating the ID. So avoid using leading zeros in the <vdom-id> to keep from accidentally creating duplicate IDs.

The VDOM name, including the <string>, -hw, and <vdom-id> can include up to 11 characters. For example, the VDOM name CGN-1-hw23 is valid but CGN-1234-hw23 is too long.

When you create a new hyperscale firewall VDOM, the CLI displays an output line that includes the VDOM name followed by the kernel VDOM_ID. For example:

config vdom

edit Test-hw150

current vf=Test-hw150:351

In this example, the kernel VDOM_ID is 351.

Another example:

config vdom

edit Test02-hw2

current vf=Test02-hw2:499

In this example, the kernel VDOM_ID is 499.

When you create a VDOM from the CLI, the new hyperscale VDOM becomes the current VDOM. The new hyperscale firewall VDOM may not appear in the VDOM list on the GUI until you log out of the GUI and then log back in.

Creating hyperscale firewall VDOMs

Creating hyperscale firewall VDOMs

VDOMs in which you will be enabling hyperscale firewall features must be created with a special VDOM name that also includes a VDOM ID. The VDOM ID is used by FortiOS to create a kernel VDOM_ID for the VDOM that NP7 processors use to track hyperscale firewall sessions for that VDOM.

Note

The number of hyperscale firewall VDOMs that you can create depends on your hyperscale firewall license and is controlled by the following configuration option:

config system global

set hyper-scale-vdom-num <vdom-id-num>

end

By default <vdom-id-num> is set to the maximum number of hyperscale VDOMs that the FortiGate is licensed for. You can manually change the <vdom-id-num> if you want to limit the number of hyperscale VDOMs that can be created. The <vdom-id-num> range is 1 to 250.

Use the following syntax to create a hyperscale firewall VDOM:

config vdom

edit <name>-hw<vdom-id>

end

Where:

<name> is a string that can contain any alphanumeric upper or lower case characters and the - and _ characters. The name cannot contain spaces and you should not use -hw in the name.

<vdom-id> a VDOM ID number in the range from 1 to <vdom-id-num>. For example, if your FortiGate is licensed for 250 hyperscale firewall VDOMs, if you haven't used the hyper-scale-vdom-num option to change the number of hyperscale firewall VDOMs, <vdom-id> can be from 1 to 250. Each hyperscale firewall VDOM must have a different <vdom-id>.

Note

If you don't use the format <name>-hw<vdom-id> when creating a hyperscale firewall VDOM, the CLI blocks you from setting the config system settings policy-offload-level option to full-offload. So this VDOM, can't operate as a hyperscale VDOM.

The CLI blocks you from creating a VDOM with a <vdom-id> that is outside the configured VDOM ID range as configured by the hyper-scale-vdom-num option. So you can't use this name format to create a normal VDOM with a <vdom-id> that is outside the configured VDOM ID range.

If you create a VDOM using the <name>-hw<vdom-id> naming convention, if you do not enable full-offload, the VDOM can operate as a normal VDOM, however this configuration is not recommended.

When you add a new hyperscale firewall VDOM with a <vdom-id>, FortiOS calculates the kernel VDOM_ID using the following formula:

kernel VDOM_ID = 501 - <vdom-id>

If you include leading zeros in the <vdom-id>, the kernel removes them when creating the ID. So avoid using leading zeros in the <vdom-id> to keep from accidentally creating duplicate IDs.

The VDOM name, including the <string>, -hw, and <vdom-id> can include up to 11 characters. For example, the VDOM name CGN-1-hw23 is valid but CGN-1234-hw23 is too long.

When you create a new hyperscale firewall VDOM, the CLI displays an output line that includes the VDOM name followed by the kernel VDOM_ID. For example:

config vdom

edit Test-hw150

current vf=Test-hw150:351

In this example, the kernel VDOM_ID is 351.

Another example:

config vdom

edit Test02-hw2

current vf=Test02-hw2:499

In this example, the kernel VDOM_ID is 499.

When you create a VDOM from the CLI, the new hyperscale VDOM becomes the current VDOM. The new hyperscale firewall VDOM may not appear in the VDOM list on the GUI until you log out of the GUI and then log back in.