Prepare the Linux Server
- Verify that you have installed and configured KVM tools and packages that are required for creating and managing virtual machines, such as Libvirt.
- If you want to use a SCSI disk controller to access the disk to which the VM-Series firewall stores data, you must use virsh to attach the virtio-scsi controller to the VM-Series firewall. You can then edit the XML template of the VM-Series firewall to enable the use of the virtio-scsi controller. For instructions, see Enable the Use of a SCSI Controller.KVM on Ubuntu 12.04 does not support the virtio-scsi controller.
- Verify that you have set up the networking infrastructure for steering traffic between the guests and the VM-Series firewall and for connectivity to an external server or the Internet. The VM-Series firewall can connect using a Linux bridge, the Open vSwitch, PCI passthrough, or SR-IOV capable network card.
- Make sure that the link state for all interfaces you plan to use are up, sometimes you have to manually bring them up.
- Verify the PCI ID of all the interfaces. To view the list, use the command:Virsh nodedev-list –tree
- If using a Linux bridge or OVS, verify that you have set up the bridges required to send/receive traffic to/from the firewall. If not, create bridge(s) and verify that they are up before you begin installing the firewall.
- If using PCI-passthrough or SR-IOV, verify that the virtualization extensions (VT-d/IOMMU) are enabled in the BIOS. For example, to enable IOMMU,intel_iommu=onmust be defined in /etc/grub.conf. Refer to the documentation provided by your system vendor for instructions.
- If using PCI-passthrough, ensure that the VM-Series firewall has exclusive access to the interface(s) that you plan to attach to it.To allow exclusive access, you must manually detach the interface(s) from the Linux server; Refer to the documentation provided by your network card vendor for instructions.To manually detach the interface(s) from the server., use the command:Virsh nodedev-detach<pci id of interface>For example,pci_0000_07_10_0In some cases, in /etc/libvirt/qemu.conf, you may have to uncommentrelaxed_acs_check = 1.
- If using SR-IOV, verify that the virtual function capability is enabled for each port that you plan to use on the network card. With SR-IOV, a single Ethernet port (physical function) can be split into multiple virtual functions. A guest can be mapped to one or more virtual functions.To enable virtual functions, you need to:1. Create a new file in this location: /etc/modprobe.d/2. Modify the file using the vi editor to make the functions persistent: vim /etc/modprobe.d/igb.conf3. Enable the number of number of virtual functions required: options igb max_vfs=4After you save the changes and reboot the Linux server, each interface (or physical function) in this example will have 4 virtual functions.Refer to the documentation provided by your network vendor for details on the actual number of virtual functions supported and for instructions to enable it.
- Configure the host for maximum VM-Series performance. Refer to Performance Tuning of the VM-Series for KVM for information about configuring each option.
- Enable DPDK. DPDK allows the host to process packets faster by bypassing the Linux kernel. Instead, interactions with the NIC are performed using drivers and the DPDK libraries. Open vSwitch is required to use DPDK with the VM-Series firewall.
- Enable SR-IOV. Single root I/O virtualization (SR-IOV) allows a single PCIe physical device under a single root port to appear to be multiple separate physical devices to the hypervisor or guest.
- Enable multi-queue support for NICs. Multi-queue virtio-net allows network performance to scale with the number of vCPUs and allows for parallel packet processing by creating multiple TX and RX queues.
- Isolate CPU Resource in a NUMA Node. You can improve performance of VM-Series on KVM by isolating the CPU resources of the guest VM to a single non-uniform memory access (NUMA) node.
VM-Series on ESXi System Requirements
VM-Series on ESXi System Requirements You can create and deploy multiple instances of the VM-Series firewall on an ESXi server. Because each instance of the ...
Performance Tuning of the VM-Series for KVM
Performance Tuning of the VM-Series for KVM The VM-Series firewall for KVM is a high-performance appliance but may require tuning of the hypervisor to achieve ...
Secure Traffic Across Linux hosts
Secure Traffic Across Linux hosts To secure your workloads, more than one instance of the VM-Series firewalls can be deployed on a Linux host. If, ...
VM-Series on KVM—Requirements and Prerequisites
VM-Series on KVM— Requirements and Prerequisites VM-Series on KVM System Requirements Options for Attaching the VM-Series on the Network Prerequisites for VM-Series on KVM VM-Series ...
Enable the Use of a SCSI Controller
Enable the Use of a SCSI Controller If you want the VM-Series firewall to use the disk bus type SCSI to access the virtual disk, ...
Performance Tuning of the VM-Series for ESXi
Performance Tuning of the VM-Series for ESXi The VM-Series firewall for ESXi is a high-performance appliance but may require tuning of the hypervisor to achieve ...
Provision the VM-Series Firewall on a KVM Host
Provision the VM-Series Firewall on a KVM Host Use the following instructions to provision the KVM host for the VM-Series firewall. Create a new virtual ...
Supported Deployments on KVM
Supported Deployments on KVM You can deploy a single instance of the VM-Series firewall per Linux host (single tenant) or multiple instances of the VM-Series ...
Options for Attaching the VM-Series on the Network
Options for Attaching the VM-Series on the Network With a Linux bridge or OVS, data traffic uses the software bridge to connect guests on the ...