Technical Tip: How to add CPU core in FortiGate firewall VM
| Description | This article describes how to add a CPU to the VM FortiGate. |
| Scope | FortiGate-VMs in Private Cloud and FortiGate-VMs in Public Cloud, like AWS, Azure, GCP, OCI, and so on, with the BYOL license model. |
| Solution | Before adding a CPU, first, it is necessary to check how many CPU cores can be used with the running license, executing via firewall CLI:
diagnose debug vm-print-license Key: yes
In this case, the FortiGate's license is running, permit using only 1 CPU.
The first step to increase the number of CPUs is register in the FortiCloud account of the company, the contract registration number, and download the related license file, as explained here: Registering the FortiGate VM and downloading the license file | FortiVoice Public Cloud Deployment Guide.
The second step is upload the license file into the_ FortiGate VM license section (direct browser access: https://<IP_of_the_VM>/system/vm/license).
The section is accessible from System -> FortiGuard if the FortiOS version running is 7.6 or newer, and from: Dashboard -> Status -> Select the Virtual Machine section, for any version.
After the license upload, the FortiGate requires the first reboot.
After the reboot, if there are additional CPUs assigned to the VM instance, run the following command:
execute cpu show
The total number of CPUs assigned to the VM is displayed in: Total CPU number.
But the FortiGate continues to use only the CPU/CPUs used before to reboot.
Is necessary to execute the command:
execute cpu add <number_of_new_vCPUs>.
number_of_new_vCPUs - would be 3 in the case shown in the screenshot.
And finally, after the CPUs have been added, a second firewall reboot is necessary.
After the reboot, executing 'get system status', the number of CPUs currently running in the firewall will appear:
get system status | grep "VM Resources"
Note: In general, a minimum of 8 cores is required for a FortiGate-VM to receive the full extended IPS database. From v7.6.0 onwards, regardless of the number of vCPUs, FortiGate VM now receives the full extended IPS database.
If the FortiGate license is not updated, it will still present the same amount of CPU usage, which is in the current license, even though the CPU numbers in VMs were increased.
For example, if the VM size in Azure is 8 vCPUs, but the license is FG-VM02, FortiGate will still only see and use 2 vCPUs.
Also, users using a VM with a serial number starting with 'FGVMSL' may encounter an issue when loading the license and performing the necessary reboot. After the reboot, the license becomes valid, but the active CPUs may be reduced to one. It is necessary to re-add the CPU, as this is expected behavior for VMs with serial numbers starting with 'FGVMSL'.
Related documents: |
