プライベートクラウド セキュリティ|プロダクト|ネットワークセキュリティのフォーティネット
DATA SHEET FortiGate®-VM on Linux KVM Next Generation Firewall The FortiGate-VM on Linux KVM delivers next generation firewall capabilities for organizations of all sizes. It protects against cyber threats with high performance, security efficacy, and deep visibility. Security n Identifies thousands of applications inside network traffic for deep inspection and granular policy enforcement n Protects against malware, exploits, and malicious websites in both encrypted and non-encrypted traffic n Prevent and detect against known and unknown attacks using continuous threat intelligence from AI-powered FortiGuard Labs security services Performance n Delivers industry's best threat protection performance and ultra-low latency using purpose-built security processor (SPU) technology with DPDK+vNP offloading and SR-IOV technologies n Provides industry-leading performance and protection for SSL encrypted traffic n Supports Intel QuickAssist (QAT) acceleration for throughput improvements on IPsec VPN Certification n Independently tested and validated for best-in-class security effectiveness and performance n Received unparalleled third-party certifications from NSS Labs Networking n Delivers advanced networking capabilities that seamlessly integrate with advanced layer 7 security and virtual domains (VDOMs) to offer extensive deployment flexibility, multi-tenancy and effective utilization of resources (only BYOL supports VDOM) n Delivers high-density, flexible combination of various high-speed interfaces to enable best TCO for customers for data center and WAN deployments Management n Includes a management console that is effective, simple to use, and provides comprehensive network automation and visibility n Provides Zero Touch Integration with Fortinet's Security Fabric's Single Pane of Glass Management n Predefined compliance checklist analyzes the deployment and highlights best practices to improve overall security posture Security Fabric n Enables Fortinet and Fabric-ready partners' products to provide broader visibility, integrated end-to-end detection, threat intelligence sharing, and automated remediation n Out-of-the-box integration and orchestration with leading SDN platforms FortiManager FortiAnalyzer FortiSandbox FortiAuthenticator FortiSIEM FortiWeb Fortinet's comprehensive security virtual appliance lineup supports KVM FortiMail 1 DATA SHEET | FortiGate®-VM on Linux KVM DEPLOYMENT Next Generation Firewall (NGFW) § Reduce complexity by combining threat protection security capabilities into single high-performance network security appliances § Identify and stop threats with powerful intrusion prevention beyond port and protocol that examines the actual applications in your network traffic § Delivers the industry's highest SSL inspection performance using industry-mandated ciphers while maximizing ROI § Proactively blocks newly discovered sophisticated attacks in real-time with advanced threat protection Gain comprehensive visibility and apply consistent control TECHNOLOGIES SR-IOV (Single Root I/O Virtualization) In enabling SR-IOV on the KVM host, a single physical network controller can be partitioned into multiple virtual interfaces (called virtual functions (VFs)), consisting of an ESXi virtual network pool of adapters, which can be used by local host processors or directly by virtual machines like the FortiGate-VM. The VM then talks directly to the network adapters through Direct Memory Access (DMA) by bypassing virtualization transports, which will improve north-south network performance. Data Plane Development Kit (DPDK) and vNP Offloading DPDK and vNP enhance FortiGate-VM performance by offloading part of packet processing to userspace while bypassing kernel within the operating system. The capability must be enabled and configured with FortiGate CLI commands. 2 FORTINET SECURITY FABRIC Security Fabric The industry's highest-performing cybersecurity platform, powered by FortiOS, with a rich ecosystem designed to span the extended digital attack surface, delivering fully automated, self-healing network security. § Broad: Coordinated detection and enforcement across the entire digital attack surface and lifecycle with converged networking and security across edges, clouds, endpoints and users § Integrated: Integrated and unified security, operation, and performance across different technologies, location, deployment options, and the richest Ecosystem § Automated: Context aware, self-healing network & security postureleveragingcloud-scale and advanced AI to automatically deliver near-real-time, user-to-application coordinated protection across theFabric The Fabric empowers organizations of any size to secure and simplify their hybrid infrastructure on the journey to digital innovation. DATA SHEET | FortiGate®-VM on Linux KVM Fabric Mgmt. Center NOC Fabric Security Operations SOC Zero Trust Access Adaptive Cloud Security FORTI OS FortiGuard Threat Intelligence Security-Driven Networking Open Ecosystem FortiOSTM Operating System FortiOS, Fortinet's leading operating system enable the convergence of high performing networking and security across the Fortinet Security Fabric delivering consistent and context-aware security posture across network endpoint, and clouds. The organically built best of breed capabilities and unified approach allows organizations to run their businesses without compromising performance or protection, supports seamless scalability, and simplifies innovation consumption. The release of FortiOS 7 dramatically expands the Fortinet Security Fabric's ability to deliver consistent security across hybrid deployment models consisting on appliances, software and As-a-Service with SASE, ZTNA and other emerging cybersecurity solutions. SERVICES FortiGuardTM Security Services FortiGuard Labs offers real-time intelligence on the threat landscape, delivering comprehensive security updates across the full range of Fortinet's solutions. Comprised of security threat researchers, engineers, and forensic specialists, the team collaborates with the world's leading threat monitoring organizations and other network and security vendors, as well as law enforcement agencies. FortiCareTM Services Fortinet is dedicated to helping our customers succeed, and every year FortiCare services help thousands of organizations get the most from their Fortinet Security Fabric solution. We have more than 1,000 experts to help accelerate technology implementation, provide reliable assistance through advanced support, and offer proactive care to maximize security and performance of Fortinet deployments. 3 DATA SHEET | FortiGate®-VM on Linux KVM SPECIFICATIONS Technical Specifications vCPU Support (Minimum / Maximum) Memory Support (Minimum) Network Interface Support (Minimum / Maximum) 1 Storage Support (Minimum / Maximum) Wireless Access Points Controlled (Tunnel / Global) Virtual Domains (Default / Maximum) 2 Firewall Policies Maximum Number of Registered Endpoints Unlimited User License System Performance Firewall Throughput (UDP Packets, 1518 Byte) New Sessions / Second (TCP) IPsec VPN Throughput (AES256+SHA1, UDP Packets, 1360 Byte) Gateway-to-Gateway IPsec VPN Tunnels Client-to-Gateway IPsec VPN Tunnels SSL VPN Throughput Concurrent SSL VPN Users (Recommended Maximum) IPS Throughput (Enterprise Mix) 3 IPS Throughput (HTTP 1M) Application Control Throughput (HTTP 64K) 4 NGFW Throughput (Enterprise Mix) 5 Threat Protection Throughput (Enterprise Mix) 6 Technical Specifications vCPU Support (Minimum / Maximum) Memory Support (Minimum) Network Interface Support (Minimum / Maximum) 1 Storage Support (Minimum / Maximum) Wireless Access Points Controlled (Tunnel / Global) Virtual Domains (Default / Maximum) 2 Firewall Policies Maximum Number of Registered Endpoints Unlimited User License System Performance Firewall Throughput (UDP Packets, 1518 Byte) New Sessions / Second (TCP) IPsec VPN Throughput (AES256+SHA1, UDP Packets, 1360 Byte) Gateway-to-Gateway IPsec VPN Tunnels Client-to-Gateway IPsec VPN Tunnels SSL VPN Throughput Concurrent SSL VPN Users (Recommended Maximum) IPS Throughput (Enterprise Mix) 3 IPS Throughput (HTTP 1M) Application Control Throughput (HTTP 64K) 4 NGFW Throughput (Enterprise Mix) 5 Threat Protection Throughput (Enterprise Mix) 6 FORTIGATE-VM01/01V/01S Paravirtualized 5.9 Gbps 130K 1.2 Gbps 1 / 1 2 GB 1 / 24 32 GB / 2 TB 32 / 64 10 / 10 10,000 2,000 Yes SR-IOV/vSPU-off 12.2 Gbps 130K 1.2 Gbps SR-IOV/vSPU-on N/A N/A N/A 10K 10K N/A 10K 10K N/A 1 Gbps 1.4 Gbps N/A 10K 10K N/A 0.53 Gbps 1.9 Gbps N/A 0.51 Gbps 3.5 Gbps N/A 0.62 Gbps 1.6 Gbps N/A 0.45 Gbps 1.3 Gbps N/A 0.42 Gbps 1.1 Gbps N/A FORTIGATE-VM04/04V/04S Paravirtualized 12.3 Gbps 290K 5.1 Gbps 40K 40K 2.1 Gbps 35K 2.5 Gbps 2.4 Gbps 3.3 Gbps 2.1 Gbps 2.1 Gbps 1 / 4 2 GB 1 / 24 32 GB / 2 TB 512 / 1,024 10 / 50 10,000 8,000 Yes SR-IOV/vSPU-off 33 Gbps 290K 5.1 Gbps SR-IOV/vSPU-on 61 Gbps 290K N/A 40K 40K 3.7 Gbps 35K 5.5 Gbps 9.4 Gbps 6.0 Gbps 4.4 Gbps 2.8 Gbps 40K 40K N/A 35K 6.2 Gbps 14.3 Gbps 8.5 Gbps 5 Gbps 4.9 Gbps FORTIGATE-VM02/02V/02S Paravirtualized 8.1 Gbps 200K 2.3 Gbps 1 / 2 2 GB 1 / 24 32 GB / 2 TB 512 / 1,024 10 / 25 10,000 2,000 Yes SR-IOV/vSPU-off 17.2 Gbps 200K 2.3 Gbps SR-IOV/vSPU-on 33.7 Gbps 200K N/A 32K 32K 32K 32K 32K 32K 1 Gbps 1.5 Gbps N/A 24K 24K 24K 1.5 Gbps 3.3 Gbps 3.6 Gbps 0.96 Gbps 5.4 Gbps 7.7 Gbps 1.9 Gbps 2.8 Gbps 3.5 Gbps 1 Gbps 2.5 Gbps 3 Gbps 0.86 Gbps 1.5 Gbps 2.8 Gbps FORTIGATE-VM08/08V/08S Paravirtualized 20.6 Gbps 520K 9 Gbps 50K 50K 5.5 Gbps 75K 4.2 Gbps 4.4 Gbps 5.7 Gbps 3.3 Gbps 3.5 Gbps 1 / 8 2 GB 1 / 24 32 GB / 2 TB 1,024 / 4,096 10 / 500 200,000 20,000 Yes SR-IOV/vSPU-off 61.8 Gbps 520K 9 Gbps SR-IOV/vSPU-on 114.3 Gbps 520K N/A 50K 50K 7.5 Gbps 75K 8.3 Gbps 15.5 Gbps 13 Gbps 7.6 Gbps 5 Gbps 50K 50K N/A 75K 13 Gbps 26.6 Gbps 14 Gbps 9.2 Gbps 8.8 Gbps Note: All performance values are "up to" and vary depending on system configuration. Actual performance may vary depending on the network and system configuration. Please note that these metrics are updated periodically as the product performance keeps improving through internal testing. The discrepancy in the performance numbers may be noted in different versions of the document so please make sure to refer to the latest datasheets. Performance metrics were observed using DELL R740 (CPU Intel Xeon Platinum 8168 @ 2.7 GHz, 96 cores, Intel X710 network adapters). Tested with FortiOS 6.4.4 running on an Ubuntu 19.04 kernel 5.0.0-38 KVM (qemu and libvirt). vSPU refers to the combination of FortiOS vNP and DPDK libraries in the FortiGate VM. vNP is the software emulation of a subset of Fortinet's Network Processor (NP). Virtio was used as the paravirtualized NIC. 1. Applicable to 6.4.0+. The actual working number of consumable network interfaces varies depending on Linux KVM instance types/sizes and may be less. 2. FG-VMxxV and FG-VMxxS series do not come with a multi-VDOM feature by default. You can add it by applying separate VDOM addition perpetual licenses. See ORDER INFORMATION for VDOM SKUs. 3. Measured using Intel QAT card model 8970. 4. RAM sizes are allocated to each FG-VM instance as follows: FG-VM01; 4GB / FG-VM02; 8GB / FG-VM04; 12GB / FG-VM08; 24GB / FG-VM16; 48GB / FG-VM32; 96GB. 4 DATA SHEET | FortiGate®-VM on Linux KVM SPECIFICATIONS Technical Specifications vCPU Support (Minimum / Maximum) Memory Support (Minimum) Network Interface Support (Minimum / Maximum) 1 Storage Support (Minimum / Maximum) Wireless Access Points Controlled (Tunnel / Global) Virtual Domains (Default / Maximum) 2 Firewall Policies Maximum Number of Registered Endpoints Unlimited User License System Performance Firewall Throughput (UDP Packets, 1518 Byte) New Sessions / Second (TCP) IPsec VPN Throughput (AES256+SHA1, UDP Packets, 1360 Byte) Gateway-to-Gateway IPsec VPN Tunnels Client-to-Gateway IPsec VPN Tunnels SSL VPN Throughput Concurrent SSL VPN Users (Recommended Maximum) IPS Throughput (Enterprise Mix) 3 IPS Throughput (HTTP 1M) Application Control Throughput (HTTP 64K) 4 NGFW Throughput (Enterprise Mix) 5 Threat Protection Throughput (Enterprise Mix) 6 Technical Specifications vCPU Support (Minimum / Maximum) Memory Support (Minimum) Network Interface Support (Minimum / Maximum) 1 Storage Support (Minimum / Maximum) Wireless Access Points Controlled (Tunnel / Global) Virtual Domains (Default / Maximum) 2 Firewall Policies Maximum Number of Registered Endpoints Unlimited User License FORTIGATE-VM16/16V/16S FORTIGATE-VM32/32V/32S Paravirtualized 25 Gbps 680K 13.2 Gbps 50K 50K 6.3 Gbps 150K 5.4 Gbps 8 Gbps 9.2 Gbps 6 Gbps 5.4 Gbps 1 / 16 2 GB 1 / 24 32 GB / 2 TB 1,024 / 4,096 10 / 500 200,000 20,000 Yes SR-IOV/vSPU-off 77.8 Gbps 680K 13.2 Gbps SR-IOV/vSPU-on 107.1 Gbps 680K N/A Paravirtualized 29.4 Gbps 850K 18.8 Gbps 50K 50K 9.4 Gbps 150K 14.7 Gbps 26.7 Gbps 25 Gbps 11.5 Gbps 9.6 Gbps 50K 50K 50K 50K N/A 8.4 Gbps 150K 320K 24 Gbps 7.1 Gbps 34.5 Gbps 11.2 Gbps 27 Gbps 10.4 Gbps 11.5 Gbps 8 Gbps 11.3 Gbps 7 Gbps FORTIGATE-VMUL/ULV/ULS 1 / 32 2 GB 1 / 24 32 GB / 2 TB 1,024 / 4,096 10 / 500 200,000 20,000 Yes SR-IOV/vSPU-off 76.5 Gbps 850K 18.8 Gbps SR-IOV/vSPU-on 110.4 Gbps 850K N/A 50K 50K 10 Gbps 320K 15.1 Gbps 40.9 Gbps 33 Gbps 11.5 Gbps 11.5 Gbps 50K 50K N/A 320K 26.6 Gbps 45.7 Gbps 34 Gbps 18 Gbps 11.6 Gbps 1 / unlimited 2 GB 1 / 24 32 GB / 2 TB 1,024 / 4,096 10 / 500 200,000 20,000 Yes Note: All performance values are "up to" and vary depending on system configuration. Actual performance may vary depending on the network and system configuration. Please note that these metrics are updated periodically as the product performance keeps improving through internal testing. The discrepancy in the performance numbers may be noted in different versions of the document so please make sure to refer to the latest datasheets. Performance metrics were observed using DELL R740 (CPU Intel Xeon Platinum 8168 @ 2.7 GHz, 96 cores, Intel X710 network adapters). Tested with FortiOS 6.4.4 running on an Ubuntu 19.04 kernel 5.0.0-38 KVM (qemu and libvirt). vSPU refers to the combination of FortiOS vNP and DPDK libraries in the FortiGate VM. vNP is the software emulation of a subset of Fortinet's Network Processor (NP). Virtio was used as the paravirtualized NIC. 1. Applicable to 6.4.0+. The actual working number of consumable network interfaces varies depending on Linux KVM instance types/sizes and may be less. 2. FG-VMxxV and FG-VMxxS series do not come with a multi-VDOM feature by default. You can add it by applying separate VDOM addition perpetual licenses. See ORDER INFORMATION for VDOM SKUs. 3. Measured using Intel QAT card model 8970. 4. RAM sizes are allocated to each FG-VM instance as follows: FG-VM01; 4GB / FG-VM02; 8GB / FG-VM04; 12GB / FG-VM08; 24GB / FG-VM16; 48GB / FG-VM32; 96GB. For the sizing guide, please refer to the sizing document available on www.fortinet.com 5 DATA SHEET | FortiGate®-VM on Linux KVM ORDERING INFORMATION The following SKUs adopt the perpetual licensing scheme: Product FortiGate-VM01 FortiGate-VM02 FortiGate-VM04 FortiGate-VM08 FortiGate-VM16 FortiGate-VM32 FortiGate-VMUL SKU FG-VM01, FG-VM01V FG-VM02, FG-VM02V FG-VM04, FG-VM04V FG-VM08, FG-VM08V FG-VM16, FG-VM16V FG-VM32, FG-VM32V FG-VMUL, FG-VMULV Description FortiGate-VM `virtual appliance.' 1x vCPU core. No VDOM by default for FG-VM01V model. FortiGate-VM `virtual appliance.' 2x vCPU cores. No VDOM by default for FG-VM02V model. FortiGate-VM `virtual appliance.' 4x vCPU cores. No VDOM by default for FG-VM04V model. FortiGate-VM `virtual appliance.' 8x vCPU cores. No VDOM by default for FG-VM08V model. FortiGate-VM `virtual appliance.' 16x vCPU cores. No VDOM by default for FG-VM016V model. FortiGate-VM `virtual appliance.' 32x vCPU cores. No VDOM by default for FG-VM032V model. FortiGate-VM `virtual appliance.' Unlimited vCPU cores. No VDOM by default for FG-VMULV model. Optional Accessories/Spares Virtual Domain License Add 5 Virtual Domain License Add 15 Virtual Domain License Add 25 SKU FG-VDOM-5-UG FG-VDOM-15-UG FG-VDOM-25-UG Description Upgrade license for adding 5 VDOMs to FortiOS 5.4 and later, limited by platform maximum VDOM capacity. Upgrade license for adding 15 VDOMs to FortiOS 5.4 and later, limited by platform maximum VDOM capacity. Upgrade license for adding 25 VDOMs to FortiOS 5.4 and later, limited by platform maximum VDOM capacity. Virtual Domain License Add 50 FG-VDOM-50-UG Upgrade license for adding 50 VDOMs to FortiOS 5.4 and later, limited by platform maximum VDOM capacity. Virtual Domain License Add 240 FG-VDOM-240-UG Upgrade license for adding 240 VDOMs to FortiOS 5.4 and later, limited by platform maximum VDOM capacity. FortiGate-VM 6.2.2 no longer has RAM restriction on all vCPU models while prior versions still restrict RAM sizes per model. Upgrade to 6.2.2 is necessary to remove the restriction. The following SKUs adopt the annual subscription licensing scheme: Product FortiGate-VM01-S FortiGate-VM02-S FortiGate-VM04-S FortiGate-VM08-S FortiGate-VM16-S FortiGate-VM32-S FortiGate-VMUL-S SKU FC1-10-FGVVS-<Support Bundle>-02-DD FC2-10-FGVVS-<Support Bundle>-02-DD FC3-10-FGVVS-<Support Bundle>-02-DD FC4-10-FGVVS-<Support Bundle>-02-DD FC5-10-FGVVS-<Support Bundle>-02-DD FC6-10-FGVVS-<Support Bundle>-02-DD FC7-10-FGVVS-<Support Bundle>-02-DD Description Subscriptions license for FortiGate-VM (1 vCPU core) Subscriptions license for FortiGate-VM (2 vCPU cores) Subscriptions license for FortiGate-VM (4 vCPU cores) Subscriptions license for FortiGate-VM (8 vCPU cores) Subscriptions license for FortiGate-VM (16 vCPU cores) Subscriptions license for FortiGate-VM (32 vCPU cores) Subscriptions license for FortiGate-VM (Unlimited vCPU cores) Support Bundle 258 815 820 FortiCare services (only) included Enterprise Bundle included 360 Protection Bundle included 990 UTP Bundle included FortiOS 6.2.3+ and 6.4.0+ support the FortiGate-VM S-series. The FortiGate-VM S-series does not have RAM restrictions on all vCPU levels. FortiManager 6.2.3+ and 6.4.0+ support managing FortiGate-VM S-series devices. 6 DATA SHEET | FortiGate®-VM on Linux KVM BUNDLES FortiGuard Bundle FortiGuard Labs delivers a number of security intelligence services to augment the FortiGate firewall platform. You can easily optimize the protection capabilities of your FortiGate with one of these FortiGuard Bundles. Bundles FortiCare FortiGuard App Control Service FortiGuard IPS Service FortiGuard Advanced Malware Protection (AMP) -- Antivirus, Mobile Malware, Botnet, CDR, Virus Outbreak Protection and FortiSandbox Cloud Service FortiGuard Web and Video2 Filtering Service FortiGuard Antispam Service FortiGuard Security Rating Service FortiGuard IoT Detection Service FortiGuard Industrial Service FortiConverter Service SD-WAN Orchestrator Entitlement SD-WAN Cloud Assisted Monitoring SD-WAN Overlay Controller VPN Service Fortinet SOCaaS FortiAnalyzer Cloud FortiManager Cloud 360 Protection ASE 1 · · · · · · · · · · · · · · · Enterprise Protection 24x7 · · · · · · · · · Unified Threat Protection 24x7 · · · Advanced Threat Protection 24x7 · · · · · 1. 24x7 plus Advanced Services Ticket Handling 2. Available when running FortiOS 7.0 www.fortinet.com Copyright © 2021 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet's General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet's internal lab tests. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable. FG-VM-KVM-DAT-R20-20210723Adobe PDF Library 15.0