FortiGate VMs installed on Microsoft Hyper-V platforms support Single Root I/O virtualization (SR-IOV) to provide FortiGate VMs with direct access to physical network cards. Enabling SR-IOV means that one PCIe network card can function for a FortiGate VM as multiple separate physical devices. SR-IOV reduces latency and improves CPU efficiency by allowing network traffic to pass directly between a FortiGate VM and a network card; effectively bypassing Microsoft Hyper-V host software and without using virtual switching.
FortiGate VMs benefit from SR-IOV because SR-IOV optimizes network performance and reduces latency and CPU usage. FortiGate VMs do not use Microsoft Hyper-V features that are incompatible with SR-IOV so you can enable SR-IOV without negatively affecting your FortiGate VM. SR-IOV implements an I/O memory management unit (IOMMU) to differentiate between different traffic streams and apply memory and interrupt translations between the PF and VFs.
Setting up SR-IOV on Microsoft Hyper-V involves creating a physical functions (PF) for each physical network card in the hardware platform. Then, you create virtual functions (VFs) that allow FortiGate VMs to communicate through the PF to the physical network card. VFs are actual PCIe hardware resources and only a limited number of VFs are available for each PF.
SR-IOV hardware compatibility
SR-IOV requires that the hardware and operating system on which your Microsoft Hyper-V host is running has BIOS, physical NIC, and network driver support for SR-IOV.
To enable SR-IOV, your Microsoft Hyper-V platform must be running on hardware that is compatible with SR-IOV and with FortiGate-VMs. FortiGate-VMs require network cards that are compatible with ixgbevf or i40evf drivers. As well, the host hardware CPUs must support Second Level Address Translation (SLAT).
For optimal SR-IOV support, install the most up to date ixgbevf or i40e/i40evf network drivers. Fortinet recommends i40e/i40evf drivers because they provide four TxRx queues for each VF and ixgbevf only provides two TxRx queues
Creating an SR-IOV virtual switch
Begin configuring SR-IOV for by creating a Microsoft Hyper-V external virtual switch with SR-IOV support. You can use either the Microsoft Hyper-V Manager or from the Microsoft Hyper-V PowerShell command line.
You can only add SR-IOV to a new virtual switch. You can't modify an existing virtual switch to enable SR-IOV and you can't disable SR-IOV for a virtual switch that was already added. To add or remove SR-IOV from a virtual switch you must delete it and then re-add it.
From the Microsoft Hyper-V Manager:
- Open the Virtual Switch Manager.
- Create a new virtual switch.
- Add a name and other settings as required.
- Set the Connection type to External network and select Enable single-root I/O virtualization (SR-IOV).
- Enter the following command to view the list of available network adapters.
- Enter the following command to add a new virtual switch:
New-VMSwitch <virtual-switch-name> -netadaptername <network-adapter-name> -EnableIov $true
<virtual-switch-name>is the name of the virtual switch that you are creating and
<network-adapter-name>is the name of the network adapter that you are binding the virtual switch to.
Enabling SR-IOV for a FortiGate-VM
The following procedure requires shutting down and restarting the FortiGate-VM so should only be performed during a quiet time or maintenance window when the network is not busy.
From the Microsoft Hyper-V Manager:
- To enable SR-IOV for a FortiGate VM, open the settings for the FortiGate VM, expand the Network Adapter node, and select Hardware Acceleration.
- On the Hardware Acceleration page, select Enable SR-IOV.
Set-VMNetworkAdapter command to enable SR-IOV for a FortiGate VM:
Set-VMNetworkAdapter IOV8250 -IovWeight 50 -Passthru | fl "iov", "status", "virtualfunction"