FortiGate-VMs installed on VMware ESXi platforms support Single Root I/O virtualization (SR-IOV) to provide FortiGate-VMs with direct access to physical network cards. Enabling SR-IOV means that one PCIe network card or CPU can function for a FortiGate-VM as multiple separate physical devices. SR-IOV reduces latency and improves CPU efficiency by allowing network traffic to pass directly between a FortiGate-VM and a network card, bypassing VMware ESXi host software and without using virtual switching.
FortiGate-VMs benefit from SR-IOV because SR-IOV optimizes network performance and reduces latency and CPU usage. FortiGate-VMs do not use VMware ESXi features that are incompatible with SR-IOV, so you can enable SR-IOV without negatively affecting your FortiGate-VM. SR-IOV implements an I/O memory management unit (IOMMU) to differentiate between different traffic streams and apply memory and interrupt translations between the physical functions (PF) and virtual functions (VF).
Setting up SR-IOV on VMware ESXi involves creating a PF for each physical network card in the hardware platform. Then, you create VFs that allow FortiGate-VMs to communicate through the PF to the physical network card. VFs are actual PCIe hardware resources and only a limited number of VFs are available for each PF.
SR-IOV hardware compatibility
The FortiGate-VM Series is a virtual appliance version of our market-leading, high-performance FortiGate next-generation firewall (NGFW) that delivers advanced protection for north-south and east-west traffic in virtualized data centers and private cloud. Fortinet FG-VM01 - Fortinet FortiGate-VM01 VM Software - 1x vCPU Core - 'Virtual Appliance' Designed for VMWare ESX and ESXi Platforms. (FortiOS 4.0 MR3 patch 1 or later) Product information. Fortigate VM (v5.0) on VMware GNS3 Anjan Chandra Simulation GNS3 Installation of Fortigate VM version 5.0 in VMware and initial setup. Download Fortigate VM(v5.0):arrow: for VMware. This version is more faster than Fortigate VM version 4.0 and performance is better. The Fortinet Security Fabric provides visibility into your security posture across multiple cloud networks, spanning private, public, and software as a service (SaaS) clouds. By using the Fabric connector for use with the Azure IaaS, changes to attributes in the Azure environment can be automatically updated in the Fortinet Security Fabric. Fortigate vs Fortigate VM Hi, We currently have an office with about 200 employees behind two Fortigate 90D HA A-A under FortiOS 5.2.13 and the cpu is often at 100% during the business hours (I know 90D isn't enough for that many employees). Only the application control, the web filtering and certificate inspection are activated for Internet.
SR-IOV requires that the hardware and operating system on which your VMware ESXi host is running has BIOS, physical NIC, and network driver support for SR-IOV.
To enable SR-IOV, your VMware ESXi platform must be running on hardware that is compatible with SR-IOV and with FortiGate-VMs. FortiGate-VMs require network cards that are compatible with ixgbevf or i40evf drivers. As well, the host hardware CPUs must support second level address translation (SLAT).
For optimal SR-IOV support, install the most up to date ixgbevf or i40e/i40evf network drivers. Fortinet recommends i40e/i40evf drivers because they provide four TxRx queues for each VF and ixgbevf only provides two TxRx queues.
Create SR-IOV virtual interfaces
Complete the following procedure to enable SR-IOV. This procedure requires restarting the VMware host and powering down the FortiGate-VM and should only be done during a maintenance window or when the network is not very busy.
For example, if you are using the VMware host client:
- Go to Manage > Hardware > PCI Devices to view all of the PCI devices on the host.
- Select the SR-IOV capable filter to view the PCI devices (network adapters) that are compatible with SR-IOV.
- Select a network adapter and select Configure SR-IOV.
- Enable SR-IOV and specify the Number of virtual functions.
- Save your changes and restart the VMware host
For example, if you are using the vSphere web client:
- Go to the host with the SR-IOV physical network adapter that you want to add virtual interfaces to.
- In the Networking part of the Manage tab, select Physical Adapters.
- Select the physical adapter for which to enable SR-IOV settings.
- Enable SR-IOV and specify the Number of virtual functions.
- Save your changes and restart the VMware host.
You can also use the following command from the ESXi host CLI to add virtual interfaces to one or more compatible network adapters:
$ esxcli system module parameters set -m <driver-name> -p “max_vfs=<virtual-interfaces>”
Where <driver-name> is the name of the network adapter driver (for example ixgbevf or i40evf) and <virtual-interfaces> is a comma-separated list of number of virtual interfaces to allow for each physical interface.
For example, if your VMware host includes three i40evf network adapters and you want to enable 6 virtual interfaces on each network adapter, enter the following:
$ esxcli system module parameters set -m <i40evf> -p “max_vfs=6,6,6”
Assign SR-IOV virtual interfaces to a FortiGate-VM
- Power off the FortiGate-VM and open its virtual hardware settings.
- Create or edit a network adapter and set its type to SR-IOV passthrough.
- Select the physical network adapter for which you have enabled SR-IOV.
- Optionally associate the FortiGate-VM network adapter with the port group on a standard or distributed switch.
- To guarantee that the pass-through device can access all VM memory, in the Memory section select Reserve all guest memory.
- Save your changes and power on the FortiGate-VM.
Download Fortigate Vm
Set up VMware CPU affinity
Configuring CPU affinity on your FortiGate-VM further builds on the benefits of SR-IOV by enabling the FortiGate-VM to align interrupts from interfaces to specific CPUs.
By specifying a CPU affinity setting for each VM, you can restrict the assignment of VMs to a subset of the available processors in multiprocessor systems. By using this feature, you can assign each VM to processors in the specified affinity set.
Using CPU affinity, you can assign a VM to a specific processor. This assignment allows you to restrict the assignment of VMs to a specific available processor in multiprocessor systems.
For example, if you are using the vSphere web client use the following steps:
- Power off the FortiGate-VM.
- Edit the FortiGate-VM hardware settings and select Virtual Hardware.
- Select CPU options.
- In Scheduling Affinity, specify the CPUs to have affinity with the FortiGate-VM. For best results, the affinity list should include one entry for each of the FortiGate-VM's virtual CPUs.
- Save your changes.
The following topics are included in this section:
FortiGate VM models and licensing
Registering FortiGate VM with Customer Service & Support
Downloading the FortiGate VM deployment package
Deployment package contents
Deploying the FortiGate VM appliance
FortiGate VM models and licensing
Fortinet offers the FortiGate VM in five virtual appliance models determined by license. When configuring your FortiGate VM, be sure to configure hardware settings within the ranges outlined below. Contact your Fortinet Authorized Reseller for more information.
FortiGate VM model information
| Technical Specification | FG-VM00 | FG-VM01 | FG-VM02 | FG-VM04 | FG-VM08 |
| Virtual CPUs (min / max) | 1 / 1 | 1 / 1 | 1 / 2 | 1 / 4 | 1 / 8 |
| Virtual Network Interfaces (min / max) | 2 / 10 | ||||
| Virtual Memory (min / max) | 1GB / 1GB | 1GB / 2GB | 1GB / 4GB | 1GB / 6GB | 1GB /12GB |
| Virtual Storage (min / max) | 32GB / 2TB | ||||
| Managed Wireless APs (tunnel mode / global) | 32 / 32 | 32 / 64 | 256 / 512 | 256 / 512 | 1024 / 4096 |
| Virtual Domains (default / max) | 1 / 1 | 10 / 10 | 10 / 25 | 10 / 50 | 10 / 250 |
After placing an order for FortiGate VM, a license registration code is sent to the email address used on the order form. Use the registration number provided to register the FortiGate VM with Customer Service & Support and then download the license file. Once the license file is uploaded to the FortiGate VM and validated, your FortiGate VM appliance is fully functional.
10
FortiGate VM Overview Registering FortiGate VM with Customer Service & Support
The number of Virtual Network Interfaces is not solely dependent on the FortiGate VM. Some virtual environments have their own limitations on the number of interfaces allowed. As an example, if you go to https://docs.microsoft.com/en-us/azure/virtualnetwork/virtual-networks-multiple-nics, you will find that Azure has its own restrictions for VMs, depending on the type of deployment or even the size of the VM.
FortiGate VM evaluation license
Fortigate Vm Image Download
FortiGate VM includes a limited embedded 15-day trial license that supports: l 1 CPU maximum l 1024 MB memory maximum
l low encryption only (no HTTPS administrative access) l all features except FortiGuard updates
You cannot upgrade the firmware, doing so will lock the Web-based Manager until a license is uploaded. Technical support is not included. The trial period begins the first time you start FortiGate VM. After the trial license expires, functionality is disabled until you upload a license file.
Registering FortiGate VM with Customer Service & Support
To obtain the FortiGate VM license file you must first register your FortiGate VM with CustomerService& Support.
To register your FortiGate VM:
- Log in to the Customer Service & Support portal using an existing support account or select Sign Up to create a new account.
- In the main page, under Asset, select Register/Renew.
The Registration page opens.
- Enter the registration code that was emailed to you and select Register. A registration form will display.
- After completing the form, a registration acknowledgement page will appear.
- Select the License File Download
- You will be prompted to save the license file (.lic) to your local computer. See “Upload the license file” for instructions on uploading the license file to your FortiGate VM via the Web-based Manager.
Downloading the FortiGate VM deployment package
FortiGate VM deployment packages are included with FortiGate firmware images on the CustomerService& Support site. First, see the following table to determine the appropriate VM deployment package for your VM platform.
Downloading the FortiGate VM deployment package
Selecting the correct FortiGate VM deployment package for your VM platform
| VM Platform | FortiGate VM Deployment File |
| Citrix XenServer v5.6sp2, 6.0 and later | FGT_VM64-v500-buildnnnn-FORTINET. out.CitrixXen.zip |
| OpenXen v3.4.3, 4.1 | FGT_VM64-v500-buildnnnn-FORTINET. out.OpenXen.zip |
| Microsoft Hyper-V Server 2008R2 and 2012 | FGT_VM64-v500-buildnnnn-FORTINET. out.hyperv.zip |
| KVM (qemu 0.12.1) | FGT_VM64-v500-buildnnnn-FORTINET. out.kvm.zip |
| VMware ESX 4.0, 4.1 ESXi 4.0/4.1/5.0/5.1/5.5 | FGT_VM32-v500-buildnnnn-FORTINET. out.ovf.zip (32-bit) FGT_VM64-v500-buildnnnn-FORTINET. out.ovf.zip |
For more information see the FortiGate product datasheet available on the Fortinet web site, http://www.fortinet.com/products/fortigate/virtualappliances.html.
The firmware images FTP directory is organized by firmware version, major release, and patch release. The firmware images in the directories follow a specific naming convention and each firmware image is specific to the device model. For example, the FGT_VM32-v500-build0151-FORTINET.out.ovf.zip image found in the v5.0 Patch Release 2 directory is specific to the FortiGate VM 32-bit environment.
You can also download the FortiOS Release Notes, FORTINET-FORTIGATE MIB file, FSSO images, and SSL VPN client in this directory. The Fortinet Core MIB file is located in the main FortiGate v5.00 directory.
To download the FortiGate VM deployment package:
- In the main page of the Customer Service & Support site, select Download > Firmware Images.
The Firmware Images page opens.
- In the Firmware Images page, select FortiGate.
- Browse to the appropriate directory on the FTP site for the version that you would like to download.
- Download the appropriate .zip file for your VM server platform.
You can also download the FortiGate Release Notes.
- Extract the contents of the deployment package to a new file folder.
FortiGate VM Overview Deployment package contents
Deployment package contents
Citrix XenServer
The FORTINET.out.CitrixXen.zip file contains:
- vhd: the FortiGate VM system hard disk in VHD format l fortios.xva: binary file containing virtual hardware configuration settings l in the ovf folder:
- FortiGate-VM64.ovf: Open Virtualization Format (OVF) template file, containing virtual hardware settings for
Xen l fortios.vmdk: the FortiGate VM system hard disk in VMDK format l datadrive.vmdk: the FortiGate VM log disk in VMDK format
The ovf folder and its contents is an alternative method of installation to the .xva and VHD disk image.
OpenXEN
The FORTINET.out.OpenXen.zip file contains only fortios.qcow2, the FortiGate VM system hard disk in qcow2 format. You will need to manually:
l create a 32GB log disk l specify the virtual hardware settings
Microsoft Hyper-V
The FORTINET.out.hyperv.zip file contains:
- in the Virtual Hard Disks folder:
- vhd: the FortiGate VM system hard disk in VHD format l DATADRIVE.vhd: the FortiGate VM log disk in VHD format
- In the Virtual Machines folder:
- xml: XML file containing virtual hardware configuration settings for Hyper-V. This is compatible with Windows Server 2012.
- Snapshots folder: optionally, Hyper-V stores snapshots of the FortiGate VM state here
KVM
The FORTINET.out.kvm.zip contains only fortios.qcow2, the FortiGate VM system hard disk in qcow2 format. You will need to manually:
l create a 32GB log disk l specify the virtual hardware settings
VMware ESX/ESXi
You will need to create a 32GB log disk.
Deploying the FortiGate VM appliance
The FORTINET.out.ovf.zip file contains:
- vmdk: the FortiGate VM system hard disk in VMDK format l datadrive.vmdk: the FortiGate VM log disk in VMDK format l Open Virtualization Format (OVF) template files:
- FortiGate-VM64.ovf: OVF template based on Intel e1000 NIC driver l FortiGate-VM64.hw04.ovf: OVF template file for older (v3.5) VMware ESX server l FortiGate-VMxx.hw07_vmxnet2.ovf: OVF template file for VMware vmxnet2 driver l FortiGate-VMxx.hw07_vmxnet3.ovf: OVF template file for VMware vmxnet3 driver
Deploying the FortiGate VM appliance
Prior to deploying the FortiGate VM appliance, the VM platform must be installed and configured so that it is ready to create virtual machines. The installation instructions for FortiGate VM assume that
- You are familiar with the management software and terminology of your VM platform.
- An Internet connection is available for FortiGate VM to contact FortiGuard to validate its license or, for closed environments, a FortiManager can be contacted to validate the FortiGate VM license. See “Validate the FortiGate VM license with FortiManager”.
For assistance in deploying FortiGate VM, refer to the deployment chapter in this guide that corresponds to your VMware environment. You might also need to refer to the documentation provided with your VM server. The deployment chapters are presented as examples because for any particular VM server there are multiple ways to create a virtual machine. There are command line tools, APIs, and even alternative graphical user interface tools.
Before you start your FortiGate VM appliance for the first time, you might need to adjust virtual disk sizes and networking settings. The first time you start FortiGate VM, you will have access only through the console window of your VM server environment. After you configure one FortiGate network interface with an IP address and administrative access, you can access the FortiGate VM web-based manager.
After deployment and license validation, you can upgrade your FortiGate VM appliance’s firmware by downloading either FGT_VM32-v500-buildnnnn-FORTINET.out (32-bit) or FGT_VM64-v500-buildnnnnFORTINET.out (64-bit) firmware. Firmware upgrading on a VM is very similar to upgrading firmware on a hardware FortiGate unit.
Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!
Don't Forget To visit the YouTube Channel for the latest Fortinet Training Videos and Question / Answer sessions!
- FortinetGuru YouTube Channel
- FortiSwitch Training Videos