Fortinet Document Library

Version:

Version:

Version:

Version:


Table of Contents

Hardware Acceleration

Download PDF
Copy Link

FortiGate-6000 series

The FortiGate-6000 series includes the FortiGate-6300F, 6301F, 6500F, and 6501F. All of these models have the same hardware architecture. FortiGate-6000 models have separate data and management planes. The data plane handles all traffic and security processing functionality. The management plane handles management functions such as administrator logins, configuration and session synchronization, SNMP and other monitoring, HA heartbeat communication, and remote and (if supported) local disk logging. Separating these two planes means that resources used for traffic and security processing are not compromised by management activities.

FortiGate-6000 schematic

In the data plane, two DP3 load balancers use session-aware load balancing to distribute sessions from the front panel interfaces (port1 to 28) to Fortinet Processor Cards (FPCs). The DP3 processors communicate with the FPCs across the 3.2Tbps integrated switch fabric. Each FPC processes sessions load balanced to it. The FPCs send outgoing sessions back to the integrated switch fabric and then out the network interfaces to their destinations.

The NP6 processor in each FPC enhances network performance with fastpath acceleration that offloads communication sessions from the FPC CPU. The NP6 processor can also handle some CPU intensive tasks, like IPsec VPN encryption/decryption. The NP6 processor in each FPC connects to the integrated switch fabric over four XAUI ports.

The CP9 processors in each FPC accelerate many common resource intensive security related processes such as SSL VPN, Antivirus, Application Control, and IPS.

The management plane includes the management board, base backplane, management interfaces, and HA heartbeat interfaces. Configuration and session synchronization between FPCs in a FortiGate-6000F occurs over the base backplane. In an HA configuration, configuration and session synchronization between the FortiGate-6000s in the cluster takes place over the HA1 and HA2 interfaces. Administrator logins, SNMP monitoring, remote logging to one or more FortiAnalyzers or syslog servers, and other management functions use the MGMT1, MGMT2, and MGMT3 interfaces. You can use the 10Gbps MGMT3 interface for additional bandwidth that might be useful for high bandwidth activities such as remote logging.

All FortiGate-6000 models have the following front panel interfaces:

  • Twenty-four 1/10/25GigE SFP28 data network interfaces (1 to 24). The default speed of these interfaces is 10Gbps. These interfaces are divided into the following interface groups: 1 - 4, 5 - 8, 9 - 12, 13 - 16, 17 - 20, and 21 - 24.
  • Four 40/100GigE QSFP28 data network interfaces (25 to 28). The default speed of these interfaces is 40Gbps.
  • Two 1/10GigE SFP+ HA interfaces (HA1 and HA2). The default speed of these interfaces is 10Gbps.
  • Two 10/100/1000BASE-T out of band management Ethernet interfaces (MGMT1 and MGMT2).
  • One 1/10GigE SFP+ out of band management interface (MGMT3).

From the management board, you can use the diagnose npu np6 port-list command to display the FortiGate-6000 NP6 configuration. The command output shows the NP6 configuration for all of the FPCs. You can see the same information for individual FPCs by logging into each FPC (for example by using the execute system console-server connect <slot-number> command) and using the same diagnose command or the get hardware npu np6 port-list command.

As shown in the example below for the FPC in slot 1, all of the FortiGate-6000 front panel interfaces and the fabric backplane (elbc-ctrl) connect to the NP6 processor in each FPC.

FortiGate-6000F [FPC01] (global) $ diagnose  npu np6 port-list 
Chip                  XAUI Ports   Max     Cross-chip 
                                   Speed   offloading 
--------------------  ---- ------  ------- ---------- 
all                   0-3  elbc-ctrl/110G     Yes        
all                   0-3  port1   25G     Yes        
all                   0-3  port2   25G     Yes        
all                   0-3  port3   25G     Yes        
all                   0-3  port4   25G     Yes        
all                   0-3  port5   25G     Yes        
all                   0-3  port6   25G     Yes        
all                   0-3  port7   25G     Yes        
all                   0-3  port8   25G     Yes        
all                   0-3  port9   25G     Yes        
all                   0-3  port10  25G     Yes        
all                   0-3  port11  25G     Yes        
all                   0-3  port12  25G     Yes        
all                   0-3  port13  25G     Yes        
all                   0-3  port14  25G     Yes        
all                   0-3  port15  25G     Yes        
all                   0-3  port16  25G     Yes        
all                   0-3  port17  25G     Yes        
all                   0-3  port18  25G     Yes        
all                   0-3  port19  25G     Yes        
all                   0-3  port20  25G     Yes        
all                   0-3  port21  25G     Yes        
all                   0-3  port22  25G     Yes        
all                   0-3  port23  25G     Yes        
all                   0-3  port24  25G     Yes        
all                   0-3  port25  100G    Yes        
all                   0-3  port26  100G    Yes        
all                   0-3  port27  100G    Yes        
all                   0-3  port28  100G    Yes        
--------------------  ---- ------  ------- ---------- 

Interface groups and changing data interface speeds

Depending on the networks that you want to connect your FortiGate-6000 to, you may have to manually change the data interface speeds. The port1 to port20 data interfaces are divided into the following groups:

  • port1 - port4
  • port5 - port8
  • port9 - port12
  • port13 - port16
  • port17 - port20
  • port21 - port24

All of the interfaces in a group operate at the same speed. Changing the speed of an interface changes the speeds of all of the interfaces in the same group. For example, if you change the speed of port18 from 10Gbps to 25Gbps the speeds of port17 to port20 are also changed to 25Gbps.

The port25 to port28 interfaces are not part of an interface group. You can set the speed of each of these interfaces independently of the other three.

Another example, the default speed of the port1 to port24 interfaces is 10Gbps. If you want to install 25GigE transceivers in port1 to port24 to convert these data interfaces to connect to 25Gbps networks, you must enter the following from the CLI:

config system interface

edit port1

set speed 25000full

next

edit port5

set speed 25000full

next

edit port9

set speed 25000full

next

edit port13

set speed 25000full

next

edit port17

set speed 25000full

next

edit port21

set speed 25000full

end

Every time you change a data interface speed, when you enter the end command, the CLI confirms the range of interfaces affected by the change. For example, if you change the speed of port5 the following message appears:

config system interface

edit port5

set speed 25000full

end

port5-port8 speed will be changed to 25000full due to hardware limit.

Do you want to continue? (y/n)

FortiGate-6000 series

The FortiGate-6000 series includes the FortiGate-6300F, 6301F, 6500F, and 6501F. All of these models have the same hardware architecture. FortiGate-6000 models have separate data and management planes. The data plane handles all traffic and security processing functionality. The management plane handles management functions such as administrator logins, configuration and session synchronization, SNMP and other monitoring, HA heartbeat communication, and remote and (if supported) local disk logging. Separating these two planes means that resources used for traffic and security processing are not compromised by management activities.

FortiGate-6000 schematic

In the data plane, two DP3 load balancers use session-aware load balancing to distribute sessions from the front panel interfaces (port1 to 28) to Fortinet Processor Cards (FPCs). The DP3 processors communicate with the FPCs across the 3.2Tbps integrated switch fabric. Each FPC processes sessions load balanced to it. The FPCs send outgoing sessions back to the integrated switch fabric and then out the network interfaces to their destinations.

The NP6 processor in each FPC enhances network performance with fastpath acceleration that offloads communication sessions from the FPC CPU. The NP6 processor can also handle some CPU intensive tasks, like IPsec VPN encryption/decryption. The NP6 processor in each FPC connects to the integrated switch fabric over four XAUI ports.

The CP9 processors in each FPC accelerate many common resource intensive security related processes such as SSL VPN, Antivirus, Application Control, and IPS.

The management plane includes the management board, base backplane, management interfaces, and HA heartbeat interfaces. Configuration and session synchronization between FPCs in a FortiGate-6000F occurs over the base backplane. In an HA configuration, configuration and session synchronization between the FortiGate-6000s in the cluster takes place over the HA1 and HA2 interfaces. Administrator logins, SNMP monitoring, remote logging to one or more FortiAnalyzers or syslog servers, and other management functions use the MGMT1, MGMT2, and MGMT3 interfaces. You can use the 10Gbps MGMT3 interface for additional bandwidth that might be useful for high bandwidth activities such as remote logging.

All FortiGate-6000 models have the following front panel interfaces:

  • Twenty-four 1/10/25GigE SFP28 data network interfaces (1 to 24). The default speed of these interfaces is 10Gbps. These interfaces are divided into the following interface groups: 1 - 4, 5 - 8, 9 - 12, 13 - 16, 17 - 20, and 21 - 24.
  • Four 40/100GigE QSFP28 data network interfaces (25 to 28). The default speed of these interfaces is 40Gbps.
  • Two 1/10GigE SFP+ HA interfaces (HA1 and HA2). The default speed of these interfaces is 10Gbps.
  • Two 10/100/1000BASE-T out of band management Ethernet interfaces (MGMT1 and MGMT2).
  • One 1/10GigE SFP+ out of band management interface (MGMT3).

From the management board, you can use the diagnose npu np6 port-list command to display the FortiGate-6000 NP6 configuration. The command output shows the NP6 configuration for all of the FPCs. You can see the same information for individual FPCs by logging into each FPC (for example by using the execute system console-server connect <slot-number> command) and using the same diagnose command or the get hardware npu np6 port-list command.

As shown in the example below for the FPC in slot 1, all of the FortiGate-6000 front panel interfaces and the fabric backplane (elbc-ctrl) connect to the NP6 processor in each FPC.

FortiGate-6000F [FPC01] (global) $ diagnose  npu np6 port-list 
Chip                  XAUI Ports   Max     Cross-chip 
                                   Speed   offloading 
--------------------  ---- ------  ------- ---------- 
all                   0-3  elbc-ctrl/110G     Yes        
all                   0-3  port1   25G     Yes        
all                   0-3  port2   25G     Yes        
all                   0-3  port3   25G     Yes        
all                   0-3  port4   25G     Yes        
all                   0-3  port5   25G     Yes        
all                   0-3  port6   25G     Yes        
all                   0-3  port7   25G     Yes        
all                   0-3  port8   25G     Yes        
all                   0-3  port9   25G     Yes        
all                   0-3  port10  25G     Yes        
all                   0-3  port11  25G     Yes        
all                   0-3  port12  25G     Yes        
all                   0-3  port13  25G     Yes        
all                   0-3  port14  25G     Yes        
all                   0-3  port15  25G     Yes        
all                   0-3  port16  25G     Yes        
all                   0-3  port17  25G     Yes        
all                   0-3  port18  25G     Yes        
all                   0-3  port19  25G     Yes        
all                   0-3  port20  25G     Yes        
all                   0-3  port21  25G     Yes        
all                   0-3  port22  25G     Yes        
all                   0-3  port23  25G     Yes        
all                   0-3  port24  25G     Yes        
all                   0-3  port25  100G    Yes        
all                   0-3  port26  100G    Yes        
all                   0-3  port27  100G    Yes        
all                   0-3  port28  100G    Yes        
--------------------  ---- ------  ------- ---------- 

Interface groups and changing data interface speeds

Depending on the networks that you want to connect your FortiGate-6000 to, you may have to manually change the data interface speeds. The port1 to port20 data interfaces are divided into the following groups:

  • port1 - port4
  • port5 - port8
  • port9 - port12
  • port13 - port16
  • port17 - port20
  • port21 - port24

All of the interfaces in a group operate at the same speed. Changing the speed of an interface changes the speeds of all of the interfaces in the same group. For example, if you change the speed of port18 from 10Gbps to 25Gbps the speeds of port17 to port20 are also changed to 25Gbps.

The port25 to port28 interfaces are not part of an interface group. You can set the speed of each of these interfaces independently of the other three.

Another example, the default speed of the port1 to port24 interfaces is 10Gbps. If you want to install 25GigE transceivers in port1 to port24 to convert these data interfaces to connect to 25Gbps networks, you must enter the following from the CLI:

config system interface

edit port1

set speed 25000full

next

edit port5

set speed 25000full

next

edit port9

set speed 25000full

next

edit port13

set speed 25000full

next

edit port17

set speed 25000full

next

edit port21

set speed 25000full

end

Every time you change a data interface speed, when you enter the end command, the CLI confirms the range of interfaces affected by the change. For example, if you change the speed of port5 the following message appears:

config system interface

edit port5

set speed 25000full

end

port5-port8 speed will be changed to 25000full due to hardware limit.

Do you want to continue? (y/n)