Fortinet black logo

KVM Administration Guide

Home FortiGate Private Cloud 7.2.0 KVM Administration Guide

FortiGate vSPU

7.2.0
7.4.0
7.2.0
7.0.0
6.4.0
Copy Link
Copy Doc ID 00804af1-a935-11ec-9fd1-fa163e15d75b:300799
Download PDF

FortiGate vSPU

Virtual security processing units (vSPU), introduced in FortiOS 6.2.3, refer to the combination of the FortiOS virtual Network Processor (vNP) and DPDK libraries operating within the FortiGate-VM. vNP is the software emulation of a subset of the Fortinet Network Processor.

DPDK provides data plane libraries and the polling-mode driver (PMD), which enables offload of packet processing from the system kernel to user space. This allows the creation of high-speed networking applications, such as the vNP.

vSPU is implemented within the FortiGate-VM, allowing the virtual appliance to be optimized:

  • vNP runs in user space, and the kernel is bypassed when vNP is handling the traffic.
  • PMD means that traffic is taken from the NIC card without relying on CPU interrupts.

That means that for certain FortiGate-VM use cases, you can employ vSPU to make more effective use of CPU resource and achieve higher throughput.

You can activate vSPU by configuration on a per-CPU basis. Each CPU activated for vNP function is presented as a processing engine.

The following summarizes how FortiOS handles traffic when multiple CPUs are enabled for vSPU. You cannot change this behavior through configuration:

FortiOS version

Description

7.0.1 and earlier versions

Traffic balancing is based on the L3 header information. For best performance, a significant variation in source and destination IP addresses are needed to load all vSPUs evenly.

7.0.2 and later versions

Traffic balancing is based on the L3 and L4 header information. The hash used to balance across the DPDK engines is based on L4 source and destination port numbers in addition to L3 addresses. Therefore, loading more vSPUs evenly should be easier.

The vSPU is analogous to the physical NP found in physical appliances. Session creation is performed in the kernel, then offloaded to the vSPU, as the hardware offloads traffic to the NP.

For more information, including a diagram of the fastpath architecture, see Performance as a Key Attribute of Fortinet.

Note

The vNP is beneficial if the IP payload is UDP or TCP. Other traffic traverses the device without benefiting from fastpath.
Previous
Next

FortiGate vSPU

Virtual security processing units (vSPU), introduced in FortiOS 6.2.3, refer to the combination of the FortiOS virtual Network Processor (vNP) and DPDK libraries operating within the FortiGate-VM. vNP is the software emulation of a subset of the Fortinet Network Processor.

DPDK provides data plane libraries and the polling-mode driver (PMD), which enables offload of packet processing from the system kernel to user space. This allows the creation of high-speed networking applications, such as the vNP.

vSPU is implemented within the FortiGate-VM, allowing the virtual appliance to be optimized:

  • vNP runs in user space, and the kernel is bypassed when vNP is handling the traffic.
  • PMD means that traffic is taken from the NIC card without relying on CPU interrupts.

That means that for certain FortiGate-VM use cases, you can employ vSPU to make more effective use of CPU resource and achieve higher throughput.

You can activate vSPU by configuration on a per-CPU basis. Each CPU activated for vNP function is presented as a processing engine.

The following summarizes how FortiOS handles traffic when multiple CPUs are enabled for vSPU. You cannot change this behavior through configuration:

FortiOS version

Description

7.0.1 and earlier versions

Traffic balancing is based on the L3 header information. For best performance, a significant variation in source and destination IP addresses are needed to load all vSPUs evenly.

7.0.2 and later versions

Traffic balancing is based on the L3 and L4 header information. The hash used to balance across the DPDK engines is based on L4 source and destination port numbers in addition to L3 addresses. Therefore, loading more vSPUs evenly should be easier.

The vSPU is analogous to the physical NP found in physical appliances. Session creation is performed in the kernel, then offloaded to the vSPU, as the hardware offloads traffic to the NP.

For more information, including a diagram of the fastpath architecture, see Performance as a Key Attribute of Fortinet.

Note

The vNP is beneficial if the IP payload is UDP or TCP. Other traffic traverses the device without benefiting from fastpath.
Previous
Next