Skip to main content
dave_iland
dave_iland
New Member
November 7, 2014
Question

FortiGate VM + vCloud Director / Poor Performance

  • November 7, 2014
  • 3 replies
  • 24011 views

Has anyone here deployed a FortiGate VM in a vCloud Director environment? I am getting extremely poor performance with the FortiGate VM in my VCD environment. Here is how I have it setup:

 

FortiGate VM 64-bit, VMware version (hardware profile 7, vmxnet3)

Firmware 5.2.1

2 x CPU, 4GB of RAM (VM02 demo license)

port1 = VCD Direct Network (goes to a public /28 attached directly to our Cisco ASRs)

port2 = VCD isolated network used for the LAN

port3 = VCD isolated network used for the DMZ

 

The FortiGate VM is configured to act as the firewall and router for all 3 networks. North-South traffic seems to flow ok (LAN <-> WAN, and DMZ <-> WAN), but east-west traffic (LAN <-> DMZ) performs extremely poor. Something simple as copying a file between a host on the LAN and the DMZ takes forever (transfer rate <1Mbps). The configuration is as simple as it gets: All UTM  functionality is turned off, two NAT policies to allow the LAN and DMZ to get out to the internet, and two rules to allow all traffic between the LAN & DMZ.

 

I can swap the FortiGate VM out for VyOS, pfSense, or vShield Edge...and with those 3 virtual appliances I can get file transfer speeds >250MB/sec. So I don't think it's a problem with the underlying infrastructure (Cisco UCS blades/chassis, Cisco Nexus 5596UP switches), otherwise I would expect similar results with the other appliances.

 

I'm working on a case with F-TAC right now, but I wanted to see if anyone out there had had a similar experience.

 

Anyone?

3 replies

Dave_Hall
Dave_Hall
New Member
November 7, 2014

If this was real hardware, I would suspect a duplex/speed mismatch on the ports between the LAN and DMZ.  Just curious to know if jumbo frames are enabled?

dave_iland
dave_ilandAuthor
New Member
November 7, 2014

Dave Hall wrote:

If this was real hardware, I would suspect a duplex/speed mismatch on the ports between the LAN and DMZ.  Just curious to know if jumbo frames are enabled?

The MTU on the Nexus switches is set to 9216. Jumbo frames are enabled all the way through the environment. Overriding the MTU on the FortiGate VM did not have any noticeable effect on the performance problem (neither positive or negative).

Baptiste
Baptiste
New Member
November 12, 2014

Hello,

I had an issue some years ago but not with fortinet VM, it was a Stonesoft FW VM.

Vm was bundle with vmxnet3 : slow transfert rate

We change it to E1000 : transfert ok

If it can help... 

Dave_Hall
Dave_Hall
New Member
November 12, 2014

Although I do not (currently) have access to the Fortigate VM, I did do some research on this....

 

There is a problem with the network driver (cited in one of the firmware releases, though can't remember which release), but was supposedly fixed in later releases.  But as part of the troubleshooting process, it wouldn't hurt to try alternate drivers.

 

When setting up the Fortigate VM, there is a NIC section where you define the in/out bandwidth for each port. I am assuming this part is set up correctly?

 

I'm curious to know what kind if info is returned if you perform a "get hardware nic <interface name>" on the CLI inside the Fortigate VM (For all ports involved).

sofatime
sofatime
New Member
November 24, 2014

Hi,

 

We are using a similar setup and don't have performance problems.

Are snapshots working ok for you? We had problems when using vmxnet2 or vmxnet3, see here:

https://forum.fortinet.com/tm.aspx?m=111912

 

Daniel

Terms & ConditionsAccessibility statement