Fortinet white logo
Fortinet white logo

Hardware Acceleration

FortiGate 2500E fast path architecture

FortiGate 2500E fast path architecture

The FortiGate 2500E features the following front panel interfaces:

  • Two 10/100/1000BASE-T Copper (MGMT1 and MGMT2, not connected to the NP6 processors)
  • Thirty-two 10/100/1000BASE-T interfaces (1 to 32)
  • Four 10GigE SFP+ interfaces (33 to 36)
  • Four 10GigE SFP+ interfaces (37 to 40)
  • Two 10GigE SFP+ interfaces (41 and 42)
  • Two 10 Gig LC fiber bypass interfaces (43 and 44)

The FortiGate 2500E includes four NP6 processors in an NP Direct configuration. The NP6 processors connected to the 10GigE ports are also in a low latency NP Direct configuration. Because of NP Direct, you cannot create Link Aggregation Groups (LAGs) or redundant interfaces between interfaces connected to different NP6s. As well, traffic will only be offloaded if it enters and exits the FortiGate on interfaces connected to the same NP6.

The NP6s are connected to network interfaces as follows:

  • NP6_0 is connected to four 10GigE SFP+ interfaces (port37 to port40) in a low latency configuration.
  • NP6_1 is connected to thirty-two 10/100/1000BASE-T interfaces (port1 to port32).
  • NP6_2 is connected to two 10GigE SFP+ interfaces (port41 and port42) and two 10 Gig LC fiber bypass interfaces (port43 and port44) in a low latency configuration.
  • NP6_3 is connected to four 10GigE SFP+ interfaces (port33 to port36) in a low latency configuration.

The following diagram also shows the XAUI and QSGMII port connections between the NP6 processors and the front panel interfaces and the aggregate switch for the thirty-two 10/100/1000BASE-T interfaces.

All data traffic passes from the data interfaces to the NP6 processors. Data traffic processed by the CPU takes a dedicated data path through the ISF and an NP6 processor to the CPU.

The MGMT interfaces are not connected to the NP6 processors. Management traffic passes to the CPU over a dedicated management path that is separate from the data paths. You can also dedicate separate CPU resources for management traffic to further isolate management processing from data processing (see Dedicated management CPU). This separation of management traffic from data traffic keeps management traffic from interfering with the stability and performance of data traffic processing.

You can use the following get command to display the FortiGate 2500E NP6 configuration. You can also use the diagnose npu np6 port-list command to display this information.

get hardware npu np6 port-list 
Chip   XAUI Ports   Max   Cross-chip 
                    Speed offloading 
------ ---- ------- ----- ---------- 
np6_1  0    port1   1G    No
       0    port5   1G    No
       0    port9   1G    No
       0    port13  1G    No
       0    port17  1G    No
       0    port21  1G    No
       0    port25  1G    No
       0    port29  1G    No
       1    port2   1G    No
       1    port6   1G    No
       1    port10  1G    No
       1    port14  1G    No
       1    port18  1G    No
       1    port22  1G    No
       1    port26  1G    No
       1    port30  1G    No
       2    port3   1G    No
       2    port7   1G    No
       2    port11  1G    No
       2    port15  1G    No
       2    port19  1G    No
       2    port23  1G    No
       2    port27  1G    No
       2    port31  1G    No
       3    port4   1G    No
       3    port8   1G    No
       3    port12  1G    No
       3    port16  1G    No
       3    port20  1G    No
       3    port24  1G    No
       3    port28  1G    No
       3    port32  1G    No
------ ---- ------- ----- ---------- 
np6_0  0    port37  10G   No 
       1    port38  10G   No 
       2    port39  10G   No 
       3    port40  10G   No 
------ ---- ------- ----- ---------- 
np6_2  0    port43  10G   No 
       1    port44  10G   No 
       2    port41  10G   No 
       3    port42  10G   No 
------ ---- ------- ----- ---------- 
np6_3  0    port33  10G   No 
       1    port34  10G   No 
       2    port35  10G   No 
       3    port36  10G   No 
------ ---- ------- ----- ---------- 

Bypass interfaces (port43 and port44)

The FortiGate 2500E includes an internal optical bypass module between interfaces 43 and 44 that provides fail open support. On these two interfaces, LC connectors connect directly to internal short-range (SR) lasers. No transceivers are required. When the FortiGate- 2500E experiences a hardware failure or loses power, or when bypass mode is enabled, these interfaces operate in bypass mode. In bypass mode, interfaces 43 and 44 are optically shunted and all traffic can pass between them, bypassing the FortiOS firewall and the NP6_2 processor.

Interfaces 43 and 44 use an internal short-range (SR) laser, so interfaces 43 and 44 only support SR multi-mode fiber. You cannot use LR or single-mode fiber connections with these interfaces.

When the interfaces switch to bypass mode the FortiGate 2500E acts like an optical patch cable so if packets going through these interfaces use VLANs or other network extensions, the attached upstream or downstream network equipment must be configured for these features.

The FortiGate 2500E will continue to operate in bypass mode until the failed FortiGate 2500E is replaced, power is restored, or bypass mode is disabled. If power is restored or bypass mode is disabled, the FortiGate 2500E resumes operating as a FortiGate device without interrupting traffic flow. Replacing a failed FortiGate 800D disrupts traffic as a technician physically replaces the failed FortiGate 800D with a new one.

During normal operation, the bypass status (B/P) LED glows green. When bypass mode is enabled, this LED glows amber.

Manually enabling bypass-mode

You can manually enable bypass mode if the FortiGate 2500E is operating in transparent mode. You can also manually enable bypass mode for a VDOM if interfaces 43 and 44 are both connected to the same VDOM operating in transparent mode.

Use the following command to enable bypass mode:

execute bypass-mode enable

This command changes the configuration, so bypass mode will still be enabled if the FortiGate-2500E restarts.

You can use the following command to disable bypass mode:

execute bypass-mode disable

Configuring bypass settings

You can use the following command to configure how bypass operates.

config system bypass

set bypass-watchdog {disable | enable}

set poweroff-bypass {disable | enable}

end

bypass-watchdog enable to turn on bypass mode. When bypass mode is turned on, if the bypass watchdog detects a sofware or hardware failure, bypass mode will be activated.

poweroff-bypass if enabled, traffic will be able to pass between the port43 and port44 interfaces if the FortiGate 2500E is powered off.

FortiGate 2500E fast path architecture

FortiGate 2500E fast path architecture

The FortiGate 2500E features the following front panel interfaces:

  • Two 10/100/1000BASE-T Copper (MGMT1 and MGMT2, not connected to the NP6 processors)
  • Thirty-two 10/100/1000BASE-T interfaces (1 to 32)
  • Four 10GigE SFP+ interfaces (33 to 36)
  • Four 10GigE SFP+ interfaces (37 to 40)
  • Two 10GigE SFP+ interfaces (41 and 42)
  • Two 10 Gig LC fiber bypass interfaces (43 and 44)

The FortiGate 2500E includes four NP6 processors in an NP Direct configuration. The NP6 processors connected to the 10GigE ports are also in a low latency NP Direct configuration. Because of NP Direct, you cannot create Link Aggregation Groups (LAGs) or redundant interfaces between interfaces connected to different NP6s. As well, traffic will only be offloaded if it enters and exits the FortiGate on interfaces connected to the same NP6.

The NP6s are connected to network interfaces as follows:

  • NP6_0 is connected to four 10GigE SFP+ interfaces (port37 to port40) in a low latency configuration.
  • NP6_1 is connected to thirty-two 10/100/1000BASE-T interfaces (port1 to port32).
  • NP6_2 is connected to two 10GigE SFP+ interfaces (port41 and port42) and two 10 Gig LC fiber bypass interfaces (port43 and port44) in a low latency configuration.
  • NP6_3 is connected to four 10GigE SFP+ interfaces (port33 to port36) in a low latency configuration.

The following diagram also shows the XAUI and QSGMII port connections between the NP6 processors and the front panel interfaces and the aggregate switch for the thirty-two 10/100/1000BASE-T interfaces.

All data traffic passes from the data interfaces to the NP6 processors. Data traffic processed by the CPU takes a dedicated data path through the ISF and an NP6 processor to the CPU.

The MGMT interfaces are not connected to the NP6 processors. Management traffic passes to the CPU over a dedicated management path that is separate from the data paths. You can also dedicate separate CPU resources for management traffic to further isolate management processing from data processing (see Dedicated management CPU). This separation of management traffic from data traffic keeps management traffic from interfering with the stability and performance of data traffic processing.

You can use the following get command to display the FortiGate 2500E NP6 configuration. You can also use the diagnose npu np6 port-list command to display this information.

get hardware npu np6 port-list 
Chip   XAUI Ports   Max   Cross-chip 
                    Speed offloading 
------ ---- ------- ----- ---------- 
np6_1  0    port1   1G    No
       0    port5   1G    No
       0    port9   1G    No
       0    port13  1G    No
       0    port17  1G    No
       0    port21  1G    No
       0    port25  1G    No
       0    port29  1G    No
       1    port2   1G    No
       1    port6   1G    No
       1    port10  1G    No
       1    port14  1G    No
       1    port18  1G    No
       1    port22  1G    No
       1    port26  1G    No
       1    port30  1G    No
       2    port3   1G    No
       2    port7   1G    No
       2    port11  1G    No
       2    port15  1G    No
       2    port19  1G    No
       2    port23  1G    No
       2    port27  1G    No
       2    port31  1G    No
       3    port4   1G    No
       3    port8   1G    No
       3    port12  1G    No
       3    port16  1G    No
       3    port20  1G    No
       3    port24  1G    No
       3    port28  1G    No
       3    port32  1G    No
------ ---- ------- ----- ---------- 
np6_0  0    port37  10G   No 
       1    port38  10G   No 
       2    port39  10G   No 
       3    port40  10G   No 
------ ---- ------- ----- ---------- 
np6_2  0    port43  10G   No 
       1    port44  10G   No 
       2    port41  10G   No 
       3    port42  10G   No 
------ ---- ------- ----- ---------- 
np6_3  0    port33  10G   No 
       1    port34  10G   No 
       2    port35  10G   No 
       3    port36  10G   No 
------ ---- ------- ----- ---------- 

Bypass interfaces (port43 and port44)

The FortiGate 2500E includes an internal optical bypass module between interfaces 43 and 44 that provides fail open support. On these two interfaces, LC connectors connect directly to internal short-range (SR) lasers. No transceivers are required. When the FortiGate- 2500E experiences a hardware failure or loses power, or when bypass mode is enabled, these interfaces operate in bypass mode. In bypass mode, interfaces 43 and 44 are optically shunted and all traffic can pass between them, bypassing the FortiOS firewall and the NP6_2 processor.

Interfaces 43 and 44 use an internal short-range (SR) laser, so interfaces 43 and 44 only support SR multi-mode fiber. You cannot use LR or single-mode fiber connections with these interfaces.

When the interfaces switch to bypass mode the FortiGate 2500E acts like an optical patch cable so if packets going through these interfaces use VLANs or other network extensions, the attached upstream or downstream network equipment must be configured for these features.

The FortiGate 2500E will continue to operate in bypass mode until the failed FortiGate 2500E is replaced, power is restored, or bypass mode is disabled. If power is restored or bypass mode is disabled, the FortiGate 2500E resumes operating as a FortiGate device without interrupting traffic flow. Replacing a failed FortiGate 800D disrupts traffic as a technician physically replaces the failed FortiGate 800D with a new one.

During normal operation, the bypass status (B/P) LED glows green. When bypass mode is enabled, this LED glows amber.

Manually enabling bypass-mode

You can manually enable bypass mode if the FortiGate 2500E is operating in transparent mode. You can also manually enable bypass mode for a VDOM if interfaces 43 and 44 are both connected to the same VDOM operating in transparent mode.

Use the following command to enable bypass mode:

execute bypass-mode enable

This command changes the configuration, so bypass mode will still be enabled if the FortiGate-2500E restarts.

You can use the following command to disable bypass mode:

execute bypass-mode disable

Configuring bypass settings

You can use the following command to configure how bypass operates.

config system bypass

set bypass-watchdog {disable | enable}

set poweroff-bypass {disable | enable}

end

bypass-watchdog enable to turn on bypass mode. When bypass mode is turned on, if the bypass watchdog detects a sofware or hardware failure, bypass mode will be activated.

poweroff-bypass if enabled, traffic will be able to pass between the port43 and port44 interfaces if the FortiGate 2500E is powered off.