IPsec/SSL VPN

Expand all | Collapse all

FortiGate-VM and Remote Access VPN

  • 1.  FortiGate-VM and Remote Access VPN

    Posted Mar 03, 2020 01:23 AM
    Hello everyone.
    We're going to implement a remote access VPN solution for ~4 000 users (in peak, not always) and now trying to choose between a hardware FortiGate and a virtual appliance.
    Are there any limitations of a VM-based FortiGate in comparison with a hardware one? Are there any tips and tricks regarding Fortigate-VM VPN that we need to know? Is licensing the same?
    There is little to no information about virtual appliances in the context of VPN on Fortinet website, so maybe someone has a personal experience.

    All your help will be greatly appreciated.
    Thanks!


    ------------------------------
    ------------------------------------
    Oleg Voitov
    Network Engineer
    ------------------------------


  • 2.  RE: FortiGate-VM and Remote Access VPN

    Posted Mar 04, 2020 02:43 AM
    Hi Oleg

    Potential peak usage of ~ 4000 users isn't a trivial load.  Many of the hardware FortiGate's a specially designed ASIC which is responsible for processing certain types of traffic. One of these ASICs is called the Network Processor, or NP.  IPsec traffic can be offloaded to the NP to greatly reduce load on the CPU, as well as dramatically increasing potential throughput on the IPsec tunnel. 

    For the application load you are considering, it would be hardware all the way for me!



    ------------------------------
    Philip Coakes
    ICT Infrastructure Technical Lead
    ------------------------------



  • 3.  RE: FortiGate-VM and Remote Access VPN

    Posted Mar 04, 2020 06:19 AM
    I agree with Philip.  I think in this scenario your cost will come out far lower with hardware as well once you consider server resources, VMware licensing and setup.  Even if you are on a shared infrastructure those are real costs. 

    Also, it is much easier to predict required resources when picking a FortiGate appliance versus how many vCPUs and RAM you'll need from a VM.  
    Something like a FortiGate-401E would probably be suited for what you are looking at based solely on the user count.  

    As far as the VM goes, there is nothing different in configuration of the VM FGT vs Hardware FGT unless you are trying to take advantage of hardware acceleration technologies like SR-IOV or DPDK.  If using those technologies then you'll have a bit of extra work on the VMware and FortiGate configuration.