Upgrades Under VMware

When running cOS Core under a VMware server, upgrades of cOS Core can be done just as they are done on a single physical computer, by installing upgrade packages through the normal cOS Core user interfaces. It is not necessary to create a new virtual machine for a new version.

Virtual Network Performance

When using a VMware virtual network, traffic throughput can be lowered slightly when using the VMware custom (non-bridged) mode to connect a virtual interface through a virtual network to another virtual interface. This is because of the processing overhead involved in implementing the virtual network.

To avoid this performance penalty and achieve throughput which is close to "wire speed", it is recommended to use VMware bridged mode to connect virtual cOS Core interfaces directly to physical Ethernet interfaces.

Resource Allocation

VMware allows the administrator the option to guarantee as well as limit resource allocation for each virtual process. Guaranteeing the resources available to a single virtual firewall can be important in order to avoid a situation where other virtual firewalls consume all available resources because they may be under a sustained security attack or processing may have frozen. For the same reasons, limiting the resources consumed by a single virtual firewall can also be advisable.

Multicore Processing

When running VMware under multicore processors, it is possible to force one virtual machine into a separate core in order to improve performance

When running the standard VMware server under Microsoft Windows, the Windows Set affinity command can be used to do this. This command is reached by displaying a list of processes in the task manager and then right clicking on the particular VMware process that will be allocated to a single core.

With ESX or ESXi, VMware is the base operating system and forcing a virtual machine to use a separate core is done through the VMware administration interface.

Increasing IPsec Performance with AES-NI

If the underlying hardware platform supports AES-NI acceleration, this can be made use of by cOS Core to significantly accelerate IPsec throughput when AES encryption is used. This acceleration is enabled by default.

If disabled, this feature can be enabled in the Web Interface by going to Network > Interfaces and VPN > Advanced Settings and clicking the checkbox Enable AES-NI acceleration. In the CLI, use the command:

Device:/> set Settings IPsecTunnelSettings AESNIEnable=Yes

After enabling, cOS Core must be rebooted for this option to take effect.

To check if the underlying platform supports AES-NI, use the CLI command:

Device:/> cpuid

If AES-NI is supported, aes will appear in the Feature flags list in the output from the command.

Increasing the Number of Virtual Interfaces

It is possible to increase the number of virtual interfaces available with cOS Core under VMware. The procedure differs depending on the VMware product being used. The two approaches are described below.

A. With VMware ESXi

B. With VMware Server, Classic or Workstation

The steps are the same as for ESXi above except VMware must also be stopped and the relevant .VMX file must be manually changed before VMware can be restarted followed by a cOS Core restart.

In the .VMX file, locate the lines:

 ethernet0.present = "TRUE"
 ethernet1.present = "TRUE"

 ethernet0.virtualDev="e1000"
 ethernet1.virtualDev="e1000"

To add a third interface, modify these lines as follows:

 ethernet0.present = "TRUE"
 ethernet1.present = "TRUE"
 ethernet2.present = "TRUE"

 ethernet0.virtualDev="e1000"
 ethernet1.virtualDev="e1000"
 ethernet2.virtualDev="e1000"

If these file changes or not made, the added interface will default to an incorrect driver and not e1000.