Technical Tip: How to distribute IPsec traffic across all CPU Cores in FortiGate VM

For VM configuration, it is necessary to follow the following configuration.

Understand what would be rx-ring parameters set and it is necessary to configure the ring-rx parameter on the physical interface where the tunnel was built. Later, assign the CPU affinity mask.

The final configuration would look like, supposing a tunnel built on physical interface port2:

config system interface
    edit "port2"
        set ring-rx 1024
        set ring-tx 1024
end

config system affinity-packet-redistribution
    edit 1
        set interface "port2"
        set rxqid 255     <-----  255 value use when want to use all core.
        set round-robin enable
        set affinity-cpumask "0xF" <----- This will change based on the requirement.
    next
end