Configure virtual hardware settings
After deploying the FortiProxy‑VM image and before powering on the virtual appliance, log into VMware vSphere and configure the virtual appliance hardware settings to suit the size of your deployment.
The following table summarizes the defaults that are set in the default image and provides rough guidelines to help you understand whether you need to upgrade the hardware before you power on the virtual appliance. For more precise guidance on sizing, contact your sales representative or Fortinet Technical Support.
|
Component |
Default |
Guidelines |
|---|---|---|
|
Hard disk |
32 GB |
32 GB is insufficient for most deployments. The hard disk size should be increased before you power on the appliance. After you power on the appliance, reformat the FortiProxy log disk with the following command: execute formatlogdisk |
|
CPU |
1 CPU |
You need a minimum of 2 CPU for a VM02 license. Upgrade to 4, 8, or 16 CPU for VM04, VM08, and VM16 licenses, respectively. |
|
RAM |
2 GB |
For optimal performance, Fortinet recommends a minimum of 4 G RAM for all FortiProxy VM deployments. See the section on vRAM for guidelines based on expected concurrent connections. |
|
Network interfaces |
10 bridging vNICs are mapped to a port group on one virtual switch (vSwitch). |
Change the mapping as required for your VM environment and network. |
For more information on virtual hardware, see http://kb.vmware.com/selfservice/documentLinkInt.do?micrositeID=&popup=true&languageId=&externalID=1010675.
Resizing the virtual disk (vDisk)
If you configure the virtual appliance storage repository to be internal (that is, local on its own vDisk), resize the vDisk before powering on the VM appliance. If you configured the virtual appliance to use external network file system datastores (such as NFS) then you can skip this step.
The FortiProxy‑VM package includes pre-sized VMDK (Virtual Machine Disk Format) files. However, they are only 32 GB, which is not large enough for most deployments. You must resize the vDisk before powering on the virtual machine. Before doing so, make sure that you understand the effects of the vDisk settings. These options affect the possible size of each vDisk:
- 1MB block size = 256GB maximum file size
- 2MB block size = 512GB maximum file size
- 4MB block size = 1024GB maximum file size
- 8MB block size = 2048GB maximum file size
For example, if you have an 800GB datastore which has been formatted with 1MB block size, you cannot size a single vDisk greater than 256 GB.
Consider also that, depending on the size of your network, you might require more or less storage for logs, reports, and other data.
For more information on vDisk sizing, see https://communities.vmware.com/docs/DOC-11920.
To resize the vDisk:
-
Use the VMware vSphere Client to connect to VMware vSphere server.
-
In the left pane, right-click the name of the virtual appliance, such as FortiProxy‑VM-Doc, and select Edit Settings.
-
In the list of virtual hardware on the left side of the dialog box, select Hard disk 2, click Remove, and then click OK.
-
In the left pane, right-click the name of the virtual appliance and select Edit Settings.
-
Click Add.
-
From the device types list, select Hard Disk, then click Next.
-
Select Create a new virtual disk then click Next.
-
Set Disk Size to the new size of the vDisk, in GB, then click Next.
-
In Virtual Device Node box, select SCSI (0:2), then click Next.
-
Review the configuration then click Finish.
-
Click OK to close the Virtual Machine Properties dialog box.
Configuring the virtual CPUs (vCPUs)
By default, the VM is configured to use one vCPU. Depending on the FortiProxy‑VM license that you purchased, you can allocate 2, 4, 8, or 16 vCPUs. For more information on vCPUs, see the VMware vSphere documentation: https://www.vmware.com/support/vsphere-hypervisor.html.
To configure vCPUs:
-
In the left pane of the VMware vSphere Client, right-click the name of the virtual machine, such as FortiProxy‑VM-Doc, and select Edit Settings.
-
On the Virtual Hardware tab, expand CPU.
-
Set the number of CPUs to the maximum number of vCPUs to allocate, which can be 2, 4, 8, or 16, depending on the FortiProxy‑VM license that you purchased.
-
If you are using native browser isolation (FortiNBI) on the FortiProxy VM, select Expose hardware assisted virtualization to the guest OS to expose full CPU virtualization to the guest operating system.
-
Click Save.
Configuring the virtual RAM (vRAM) limit
The FortiProxy‑VM image is pre-configured to use 2 GB of vRAM. For optimal performance, Fortinet recommends a minimum of 4 GB of memory for all FortiProxy VM deployments.
Appropriate values depend on the number (n) of layer-7 transactions that will be handled simultaneously by FortiProxy‑VM. Sizing should also be adjusted if the FortiProxy‑VM will be handling layer-4 connections, or a mixture of layer-4 and layer-7 connections.
| Number of simultaneous layer-7 transactions | vRAM |
|---|---|
| 1 < n < 140,000 | 4 GB |
| 140,001 < n < 300,000 | 8 GB |
| 300,001 < n < 600,000 | 16 GB |
To change the amount of vRAM:
- Use the VMware vSphere Client to connect to VMware vSphere server.
- In the left pane, right-click the name of the virtual appliance and select Edit Settings.
- In the list of virtual hardware on the left side of the dialog, select Memory.
- Set Memory Size to the maximum vRAM to allocate, in GB. For optimal performance, Fortinet recommends a minimum of 4 GB of memory for all FortiProxy VM deployments.
- Click OK.
Mapping the virtual NICs (vNICs) to physical NICs
When you deploy the FortiProxy‑VM package, 10 bridging vNICs are created and automatically mapped to a port group on one virtual switch (vSwitch) in the hypervisor. Eac vNIC can be used by one of the 10 network interfaces in FortiProxy‑VM. Conversely, some or all of the network interfaces can be configured to use the same vNIC. vSwitches are themselves mapped to physical ports on the server.
You can change the mapping, or map other vNICs, if your VM environment requires it.
The appropriate mappings of the FortiProxy‑VM network adapter ports to the host computer physical ports depends on your existing virtual environment.
|
Often, the default bridging vNICs work, and do not need to be changed. If you are unsure of your network mappings, try bridging first before trying non-default vNIC modes, such as NAT or host-only networks. The default bridging vNIC mappings are appropriate where each of the host’s guest virtual machines have their own IP addresses on your network. The most common exceptions to this rule are for VLANs. |
The following shows how vNICs could be mapped to the physical network ports on a server:
|
VMware vSphere |
FortiProxy‑VM |
||
|
Physical Network Adapter |
Network Mapping (vSwitch Port Group) |
Virtual Network Adapter for FortiProxy‑VM |
Network Interface Name in Web UI/CLI |
|
eth0 |
VM Network 0 |
Management |
port1 |
|
eth1 |
VM Network 1 |
External |
port2 |
|
VM Network 2 |
Internal |
port3 |
|
|
port4 |
|||
|
port5 |
|||
|
port6 |
|||
|
port7 |
|||
|
port8 |
|||
|
port9 |
|||
|
port10 |
|||
To map network adapters:
-
Use the VMware vSphere Client to connect to VMware vSphere server.
-
In the left pane, right-click the name of the virtual appliance and select Edit Settings.
-
In the list of virtual hardware on the left side of the dialog box, select the name of a virtual network adapter to see its current settings.
-
Set Network Connection to the virtual network mapping for the virtual network adapter.
The correct mapping varies depending on the virtual environment network configuration. In this example, the Network adapter 1 is mapped to v920.
-
Click OK.
HA configuration
When configuring HA on FortiProxy appliances using VMware VMs, ensure that the vSwitch can accept MAC address changes and forced transmits on the HA heartbeat VLAN. For more information, see the FortiProxy Administration Guide.
The following image shows what the vSwitch Properties page looks like with these settings enabled:
