Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
maulishshah
Staff
Staff

Created on ‎11-27-2024 06:00 AM Edited on ‎03-24-2025 05:07 AM By Community Manager

Article Id 360560

Technical Tip: How to distribute IPsec traffic across all CPU Cores in FortiGate VM

Description This article describes what configuration changes are required to distribute IPSEC traffic across multiple CPU cores. 
Scope FortiGate VM.
Solution

For VM configuration, it is necessary to follow the following configuration.

Understand what would be rx-ring parameters set and it is necessary to configure the ring-rx parameter on the physical interface where the tunnel was built. Later, assign the CPU affinity mask.

The final configuration would look like, supposing a tunnel built on physical interface port2:

 

config system interface
    edit "port2"
        set ring-rx 1024
        set ring-tx 1024
end

 

config system affinity-packet-redistribution
    edit 1
        set interface "port2"
        set rxqid 255     <-----  255 value use when want to use all core.
        set round-robin enable
        set affinity-cpumask "0xF" <----- This will change based on the requirement.
    next
end
798
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.