Cybersecurity Forum

This forum is for all security enthusiasts to discuss Fortinet's latest & evolving technologies and to connect & network with peers in the cybersecurity hemisphere. Share and learn on a broad range of topics like best practices, use cases, integrations and more. For support specific questions/resources, please visit the Support Forum or the Knowledge Base.

OlegVoit
New Contributor

FortiGate-VM and Remote Access VPN

Hello everyone.
We're going to implement a remote access VPN solution for ~4 000 users (in peak, not always) and now trying to choose between a hardware FortiGate and a virtual appliance.
Are there any limitations of a VM-based FortiGate in comparison with a hardware one? Are there any tips and tricks regarding Fortigate-VM VPN that we need to know? Is licensing the same?
There is little to no information about virtual appliances in the context of VPN on Fortinet website, so maybe someone has a personal experience.

All your help will be greatly appreciated.
Thanks!


------------------------------
------------------------------------
Oleg Voitov
Network Engineer
------------------------------
1 Solution
PhilCoak
New Contributor

Hi Oleg

Potential peak usage of ~ 4000 users isn't a trivial load.  Many of the hardware FortiGate's a specially designed ASIC which is responsible for processing certain types of traffic. One of these ASICs is called the Network Processor, or NP.  IPsec traffic can be offloaded to the NP to greatly reduce load on the CPU, as well as dramatically increasing potential throughput on the IPsec tunnel. 

For the application load you are considering, it would be hardware all the way for me!



------------------------------
Philip Coakes
ICT Infrastructure Technical Lead
------------------------------

View solution in original post

2 REPLIES 2
PhilCoak
New Contributor

Hi Oleg

Potential peak usage of ~ 4000 users isn't a trivial load.  Many of the hardware FortiGate's a specially designed ASIC which is responsible for processing certain types of traffic. One of these ASICs is called the Network Processor, or NP.  IPsec traffic can be offloaded to the NP to greatly reduce load on the CPU, as well as dramatically increasing potential throughput on the IPsec tunnel. 

For the application load you are considering, it would be hardware all the way for me!



------------------------------
Philip Coakes
ICT Infrastructure Technical Lead
------------------------------

justinpowell_FTNT

I agree with Philip.  I think in this scenario your cost will come out far lower with hardware as well once you consider server resources, VMware licensing and setup.  Even if you are on a shared infrastructure those are real costs. 

Also, it is much easier to predict required resources when picking a FortiGate appliance versus how many vCPUs and RAM you'll need from a VM.  
Something like a FortiGate-401E would probably be suited for what you are looking at based solely on the user count.  

As far as the VM goes, there is nothing different in configuration of the VM FGT vs Hardware FGT unless you are trying to take advantage of hardware acceleration technologies like SR-IOV or DPDK.  If using those technologies then you'll have a bit of extra work on the VMware and FortiGate configuration.
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.