Help
Cybersecurity Forum

This forum is for all security enthusiasts to discuss Fortinet's latest & evolving technologies and to connect & network with peers in the cybersecurity hemisphere. Share and learn on a broad range of topics like best practices, use cases, integrations and more. For support specific questions/resources, please visit the Support Forum or the Knowledge Base.

OlegVoit
New Contributor

Created on ‎03-03-2020 01:23 AM

FortiGate-VM and Remote Access VPN

Hello everyone.
We're going to implement a remote access VPN solution for ~4 000 users (in peak, not always) and now trying to choose between a hardware FortiGate and a virtual appliance.
Are there any limitations of a VM-based FortiGate in comparison with a hardware one? Are there any tips and tricks regarding Fortigate-VM VPN that we need to know? Is licensing the same?
There is little to no information about virtual appliances in the context of VPN on Fortinet website, so maybe someone has a personal experience.

All your help will be greatly appreciated.
Thanks!


------------------------------
------------------------------------
Oleg Voitov
Network Engineer
------------------------------
Labels:
362
0 Kudos
1 Solution
PhilCoak
New Contributor

Created on ‎03-04-2020 02:43 AM

Hi Oleg

Potential peak usage of ~ 4000 users isn't a trivial load.  Many of the hardware FortiGate's a specially designed ASIC which is responsible for processing certain types of traffic. One of these ASICs is called the Network Processor, or NP.  IPsec traffic can be offloaded to the NP to greatly reduce load on the CPU, as well as dramatically increasing potential throughput on the IPsec tunnel. 

For the application load you are considering, it would be hardware all the way for me!



------------------------------
Philip Coakes
ICT Infrastructure Technical Lead
------------------------------

View solution in original post

341
0 Kudos
2 REPLIES 2
PhilCoak
New Contributor

Created on ‎03-04-2020 02:43 AM

Hi Oleg

Potential peak usage of ~ 4000 users isn't a trivial load.  Many of the hardware FortiGate's a specially designed ASIC which is responsible for processing certain types of traffic. One of these ASICs is called the Network Processor, or NP.  IPsec traffic can be offloaded to the NP to greatly reduce load on the CPU, as well as dramatically increasing potential throughput on the IPsec tunnel. 

For the application load you are considering, it would be hardware all the way for me!



------------------------------
Philip Coakes
ICT Infrastructure Technical Lead
------------------------------

342
0 Kudos
justinpowell_FTNT
Staff
Staff

Created on ‎03-04-2020 06:19 AM

I agree with Philip.  I think in this scenario your cost will come out far lower with hardware as well once you consider server resources, VMware licensing and setup.  Even if you are on a shared infrastructure those are real costs. 

Also, it is much easier to predict required resources when picking a FortiGate appliance versus how many vCPUs and RAM you'll need from a VM.  
Something like a FortiGate-401E would probably be suited for what you are looking at based solely on the user count.  

As far as the VM goes, there is nothing different in configuration of the VM FGT vs Hardware FGT unless you are trying to take advantage of hardware acceleration technologies like SR-IOV or DPDK.  If using those technologies then you'll have a bit of extra work on the VMware and FortiGate configuration.
341
0 Kudos
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.