Fortinet black logo

VMware ESXi Administration Guide

Home FortiGate Private Cloud 7.2.0 VMware ESXi Administration Guide
7.2.0
7.4.0
7.2.0
7.0.0
6.4.0

Hypervisor tuning

Hypervisor tuning

VMware ESXi is a bare metal or type 1 hypervisor that has been available since 2001. ESXi provides the compute workload for the wider Telco Cloud Platform collection of products available from VMware and is the home of the FortiGate-VM.

This document focuses on maximizing a FortiGate-VM deployment's performance. Therefore, this document limits discussion to ESXi and vCenter, where vCenter provides centralized management of ESXi compute nodes.

You should consult the FortiOS Release Notes to determine the Fortinet recommendations on ESXi versions. As the list in the Release Notes is long, this document focuses on the version included in the Telco Cloud Platform 5G Edition 2.1 release to fit the intended audience.

Note

Referencing ESXi and vCenter articles to map the named releases with build numbers is recommended.

The NIC is probably the most important consideration to achieve a performant firewall. Handling network I/O correctly and efficiently is important. The main considerations, which this document covers in more detail later, are:

  • Traffic NICs should support SR-IOV. PCI-passthrough may be an alternative option, but has little flexibility.
  • Avoid OEM NIC. For example, a Dell branded Intel XXV710 NIC may not have the required firmware version available to achieve a working solution.
  • The number of NIC ports and, therefore, number of network queues/buffers used for traffic is important when considering a FortiGate-VM deployment without vSPU, allowing effective use of the CPUs.
Note

VMware, NIC vendor, and firmware/driver versions are typically outside of the deployment scope for Fortinet. However, they are important to achieve a stable and performant solution. Therefore, you should take due caution around the version choices to select these optimally. These items will be the first things to check if the performance is suboptimal or if, in fact, the deployment is unexpectedly not functioning as designed.
Previous
Next

Hypervisor tuning

VMware ESXi is a bare metal or type 1 hypervisor that has been available since 2001. ESXi provides the compute workload for the wider Telco Cloud Platform collection of products available from VMware and is the home of the FortiGate-VM.

This document focuses on maximizing a FortiGate-VM deployment's performance. Therefore, this document limits discussion to ESXi and vCenter, where vCenter provides centralized management of ESXi compute nodes.

You should consult the FortiOS Release Notes to determine the Fortinet recommendations on ESXi versions. As the list in the Release Notes is long, this document focuses on the version included in the Telco Cloud Platform 5G Edition 2.1 release to fit the intended audience.

Note

Referencing ESXi and vCenter articles to map the named releases with build numbers is recommended.

The NIC is probably the most important consideration to achieve a performant firewall. Handling network I/O correctly and efficiently is important. The main considerations, which this document covers in more detail later, are:

  • Traffic NICs should support SR-IOV. PCI-passthrough may be an alternative option, but has little flexibility.
  • Avoid OEM NIC. For example, a Dell branded Intel XXV710 NIC may not have the required firmware version available to achieve a working solution.
  • The number of NIC ports and, therefore, number of network queues/buffers used for traffic is important when considering a FortiGate-VM deployment without vSPU, allowing effective use of the CPUs.
Note

VMware, NIC vendor, and firmware/driver versions are typically outside of the deployment scope for Fortinet. However, they are important to achieve a stable and performant solution. Therefore, you should take due caution around the version choices to select these optimally. These items will be the first things to check if the performance is suboptimal or if, in fact, the deployment is unexpectedly not functioning as designed.
Previous
Next