Fortinet Document Library

Version:


Table of Contents

KVM Cookbook

Resources

Upgrade Path Tool
6.2.0
Download PDF
Copy Link

DPDK global settings

To enable DPDK operations for the FortiGate-VM:
  1. In the FortiOS CLI, enter the following commands to enable DPDK operation:

    config dpdk global

    set status enable

    set interface port1

    end

  2. The CLI displays the following message:

    Status and interface changes will trigger system reboot and take effect after the reboot.

    Do you want to continue? (y/n)

    Press y to reboot the device.

    Note

    Before system reboot, you must check if other DPDK settings are configured properly. You must enable at least one network interface for DPDK. The example enables port1. You can enable other interfaces as desired. If you do not set an interface, a prompt displays and the change is discarded. See To enable a network interface to run DPDK operation:.

To enable DPDK multiqueue mode:

Enabling multiqueue at network RX/TX helps DPDK better balance the workload onto multiple engines.

  1. In the FortiOS CLI, enter the following commands to enable DPDK operation:

    config dpdk global

    set multiqueue enable

    end

  2. The CLI displays the following message:

    Multiqueue change will trigger IPS restart and will take effect after the restart. Traffic may be interrupted briefly.

    Do you want to continue? (y/n)

    Press y to reboot IPS engine.

To set the percentage of main memory allocated to DPDK huge pages and packet buffer pool:

You can configure the amount of main memory (as a percentage) allocated to huge pages, which are dedicated to DPDK use. You can also configure the amount of main memory (as a percentage) allocated to the DPDK packet buffer pool.

Enter the following commands to set these amounts:

config dpdk global

set hugepage-percentage [X]

set mbufpool-percentage [Y]

end

Changing mbufpool-percentage requires IPS engine to restart (no reboot).

Note

Huge page memory is mounted at system startup and remains mounted as long as the FortiGate-VM is running. Packet buffer pool memory is drawn from huge pages. Therefore, the packet buffer pool amount (Y) must not exceed the huge pages amount (X).

In practice, it is mandated that Y is lesser than or equal to X - 5 to leave 5% memory overhead for other DPDK data structures. The range of X is between 10 and 50, and the range of Y is between 5 and 45.

Note

Setting X too high may force FortiOS to enter conserve mode. Setting X too low may result in insufficient memory for DPDK operation and failure of initialization.

Note

During FortiOS DPDK Helper environment initialization, RTE memory zones are drawn from huge memory pages. The system tries to reserve continuous memory chunks for these memory zones with best effort. Therefore, the amount of huge page memory is slightly larger than the amount of memory that RTE memory zones use. To gain insight into how RTE memory zones reserve memory spaces, run the diagnose dpdk statistics show memory command.

To enable a network interface to run DPDK operation:

You must enable at least one network interface to run DPDK operation.

config dpdk global

set interface "portX" "portY"

end

Note

You must enable at least one network interface for DPDK. Otherwise, DPDK early initialization during system startup fails and falls back to a disabled state. In this example, if there are two network interfaces that you intend to use, you can specify set interface port1 port2.

Note

Enabling DPDK is only available for physical network interfaces.

To enable DPDK monitor engine:

Enabling DPDK monitor engine is optional.

  1. In the FortiOS CLI, enter the following commands to enable DPDK monitor engine:

    config dpdk global

    set sleep-on-idle enable

    end

  2. The CLI displays the following message:

    sleep-on-idle change will trigger IPS restart and will take effect after the restart. Traffic may be interrupted briefly.

    Do you want to continue? (y/n)

    Press y to reboot IPS engine.

By default, DPDK monitor engine is disabled. When enabled, only one DPDK engine polls DPDK-enabled interfaces. When packets arrive, corresponding DPDK entries are activated. This helps when services other than firewall or IPS engine, such as antivirus, WAD, or web filter, are running and performance degradation is observed while DPDK performance statistics show that DPDK engines are not fully used. Latency may increase due to the time needed to activate the proper DPDK engines by the monitor engine.

To enable elastic buffer (temporary memory buffer):

Enabling elastic buffer is optional.

  1. In the FortiOS CLI, enter the following commands to enable elastic memory buffer:

    config dpdk global

    set elasticbuffer enable

    end

  2. The CLI displays the following message:

    elasticbuffer change will trigger IPS restart and will take effect after the restart. Traffic may be interrupted briefly.

    Do you want to continue? (y/n)

    Press y to reboot IPS engine.

By default, elastic buffer is disabled. When enabled, an elastic buffer takes effect to store packets in case of traffic burst. The feature helps to reduce packet drops when received packets peak under system overload by storing packets in the buffer and processing them afterward. This feature is experimental.

To enable per-session accounting:

Enabling per-session accounting is optional.

  1. In the FortiOS CLI, enter the following commands to enable per session accounting:

    config dpdk global

    set per-session-accounting enable|disable|traffic-log-only

    end

  2. The CLI displays the following message:

    per-session-accounting change will trigger IPS restart and will take effect after the restart. Traffic may be interrupted briefly.

    Do you want to continue? (y/n)

    Press y to reboot IPS engine.

By default, per-session accounting is configured only for traffic logs, which results in per-session accounting being enabled when you enable traffic logging in a policy.

Per-session accounting is a logging feature that allows FortiOS to report the correct bytes per packet numbers per session for sessions offloaded to a vNP process. This information appears in traffic log messages, FortiView, and diagnose commands. Per-session accounting can affect vNP offloading performance. You should only enable per-session accounting if you need the accounting information. A similar feature is available for physical FortiGate NP6 processors.

Resources

DPDK global settings

To enable DPDK operations for the FortiGate-VM:
  1. In the FortiOS CLI, enter the following commands to enable DPDK operation:

    config dpdk global

    set status enable

    set interface port1

    end

  2. The CLI displays the following message:

    Status and interface changes will trigger system reboot and take effect after the reboot.

    Do you want to continue? (y/n)

    Press y to reboot the device.

    Note

    Before system reboot, you must check if other DPDK settings are configured properly. You must enable at least one network interface for DPDK. The example enables port1. You can enable other interfaces as desired. If you do not set an interface, a prompt displays and the change is discarded. See To enable a network interface to run DPDK operation:.

To enable DPDK multiqueue mode:

Enabling multiqueue at network RX/TX helps DPDK better balance the workload onto multiple engines.

  1. In the FortiOS CLI, enter the following commands to enable DPDK operation:

    config dpdk global

    set multiqueue enable

    end

  2. The CLI displays the following message:

    Multiqueue change will trigger IPS restart and will take effect after the restart. Traffic may be interrupted briefly.

    Do you want to continue? (y/n)

    Press y to reboot IPS engine.

To set the percentage of main memory allocated to DPDK huge pages and packet buffer pool:

You can configure the amount of main memory (as a percentage) allocated to huge pages, which are dedicated to DPDK use. You can also configure the amount of main memory (as a percentage) allocated to the DPDK packet buffer pool.

Enter the following commands to set these amounts:

config dpdk global

set hugepage-percentage [X]

set mbufpool-percentage [Y]

end

Changing mbufpool-percentage requires IPS engine to restart (no reboot).

Note

Huge page memory is mounted at system startup and remains mounted as long as the FortiGate-VM is running. Packet buffer pool memory is drawn from huge pages. Therefore, the packet buffer pool amount (Y) must not exceed the huge pages amount (X).

In practice, it is mandated that Y is lesser than or equal to X - 5 to leave 5% memory overhead for other DPDK data structures. The range of X is between 10 and 50, and the range of Y is between 5 and 45.

Note

Setting X too high may force FortiOS to enter conserve mode. Setting X too low may result in insufficient memory for DPDK operation and failure of initialization.

Note

During FortiOS DPDK Helper environment initialization, RTE memory zones are drawn from huge memory pages. The system tries to reserve continuous memory chunks for these memory zones with best effort. Therefore, the amount of huge page memory is slightly larger than the amount of memory that RTE memory zones use. To gain insight into how RTE memory zones reserve memory spaces, run the diagnose dpdk statistics show memory command.

To enable a network interface to run DPDK operation:

You must enable at least one network interface to run DPDK operation.

config dpdk global

set interface "portX" "portY"

end

Note

You must enable at least one network interface for DPDK. Otherwise, DPDK early initialization during system startup fails and falls back to a disabled state. In this example, if there are two network interfaces that you intend to use, you can specify set interface port1 port2.

Note

Enabling DPDK is only available for physical network interfaces.

To enable DPDK monitor engine:

Enabling DPDK monitor engine is optional.

  1. In the FortiOS CLI, enter the following commands to enable DPDK monitor engine:

    config dpdk global

    set sleep-on-idle enable

    end

  2. The CLI displays the following message:

    sleep-on-idle change will trigger IPS restart and will take effect after the restart. Traffic may be interrupted briefly.

    Do you want to continue? (y/n)

    Press y to reboot IPS engine.

By default, DPDK monitor engine is disabled. When enabled, only one DPDK engine polls DPDK-enabled interfaces. When packets arrive, corresponding DPDK entries are activated. This helps when services other than firewall or IPS engine, such as antivirus, WAD, or web filter, are running and performance degradation is observed while DPDK performance statistics show that DPDK engines are not fully used. Latency may increase due to the time needed to activate the proper DPDK engines by the monitor engine.

To enable elastic buffer (temporary memory buffer):

Enabling elastic buffer is optional.

  1. In the FortiOS CLI, enter the following commands to enable elastic memory buffer:

    config dpdk global

    set elasticbuffer enable

    end

  2. The CLI displays the following message:

    elasticbuffer change will trigger IPS restart and will take effect after the restart. Traffic may be interrupted briefly.

    Do you want to continue? (y/n)

    Press y to reboot IPS engine.

By default, elastic buffer is disabled. When enabled, an elastic buffer takes effect to store packets in case of traffic burst. The feature helps to reduce packet drops when received packets peak under system overload by storing packets in the buffer and processing them afterward. This feature is experimental.

To enable per-session accounting:

Enabling per-session accounting is optional.

  1. In the FortiOS CLI, enter the following commands to enable per session accounting:

    config dpdk global

    set per-session-accounting enable|disable|traffic-log-only

    end

  2. The CLI displays the following message:

    per-session-accounting change will trigger IPS restart and will take effect after the restart. Traffic may be interrupted briefly.

    Do you want to continue? (y/n)

    Press y to reboot IPS engine.

By default, per-session accounting is configured only for traffic logs, which results in per-session accounting being enabled when you enable traffic logging in a policy.

Per-session accounting is a logging feature that allows FortiOS to report the correct bytes per packet numbers per session for sessions offloaded to a vNP process. This information appears in traffic log messages, FortiView, and diagnose commands. Per-session accounting can affect vNP offloading performance. You should only enable per-session accounting if you need the accounting information. A similar feature is available for physical FortiGate NP6 processors.