Fortinet black logo

Hyperscale Firewall Guide

Home FortiGate / FortiOS 6.4.15 Hyperscale Firewall Guide
6.4.15
7.4.3
7.4.2
7.4.1
7.4.0
7.2.8
7.2.7
7.2.6
7.2.5
7.2.4
7.2.3
7.2.2
7.2.1
7.0.15
7.0.14
7.0.13
7.0.12
7.0.11
7.0.10
7.0.9
7.0.8
7.0.7
7.0.6
7.0.5
6.4.15
6.4.14
6.4.13
6.4.12
6.4.11
6.4.10
6.4.9
6.4.8
6.4.6
6.2.9
6.2.7
6.2.6

Configuring how the internal switch fabric distributes sessions to NP7 processors

Configuring how the internal switch fabric distributes sessions to NP7 processors

On FortiGates with multiple NP7 processors, you can use the following command to configure how the internal switch fabric (ISF) distributes sessions to the NP7 processors.

config system global

config system npu

set hash-config {src-dst-ip | 5-tuple | src-ip}

end

Changing the hash-config causes the FortiGate to restart.

Note

A configuration change that causes a FortiGate to restart can disrupt the operation of an FGCP cluster. If possible, you should make this configuration change to the individual FortiGates before setting up the cluster. If the cluster is already operating, you should temporarily remove the secondary FortiGate(s) from the cluster, change the configuration of the individual FortiGates and then re-form the cluster. You can remove FortiGate(s) from a cluster using the Remove Device from HA cluster button on the System > HA GUI page. For more information, see Disconnecting a FortiGate.

src-ip, (the default) sessions are distributed by source IP address. All sessions from a source IP address are processed by the same NP7 processor. For hyperscale traffic, src-ip is usually the preferred setting because, when hash-config is set to src-ip, each NP7 processor has the same cgn-resource-quota and the quota is applied to all traffic from a given source address. For more information, see NPU traffic distribution in the Carrier-Grade NAT Architecture Guide.

src-dist-ip, use 2-tupple source and destination IP address hashing. This option is only available on FortiGates with an odd number of NP7 processors. For example, the FortiGate-3500F and 3501F have three NP7 processors, so this option is available for these models. In most cases of FortiGates with an odd number of NP7 processors, src-dist-ip distribution provides the best performance. However, CGNAT resource quotas are distributed differently depending on the hash-config.

5-tuple, to distribute sessions, a hash is created for each session based on the session's source and destination IP address, IP protocol, and source and destination TCP/UDP port. In most cases 5-tuple distribution provides the best performance. However, CGNAT resource quotas are distributed differently depending on the hash-config.

In most cases 2-tuple or 5-tuple distribution provides the best performance but src-ip is the required setting if your FortiGate processes traffic that requires session helpers or application layer gateways (ALGs).

Setting hash-config to src-ip is required to offload traffic that requires session helpers or application layer gateways (ALGs) (for example, FTP, TFTP, SIP, MGCP, H.323, PPTP, L2TP, ICMP Error/IP-options, PMAP, TNS, DCE-RPC, RAS, and RSH). For more information, see ALG/Session Helper Support.

Previous
Next

Configuring how the internal switch fabric distributes sessions to NP7 processors

On FortiGates with multiple NP7 processors, you can use the following command to configure how the internal switch fabric (ISF) distributes sessions to the NP7 processors.

config system global

config system npu

set hash-config {src-dst-ip | 5-tuple | src-ip}

end

Changing the hash-config causes the FortiGate to restart.

Note

A configuration change that causes a FortiGate to restart can disrupt the operation of an FGCP cluster. If possible, you should make this configuration change to the individual FortiGates before setting up the cluster. If the cluster is already operating, you should temporarily remove the secondary FortiGate(s) from the cluster, change the configuration of the individual FortiGates and then re-form the cluster. You can remove FortiGate(s) from a cluster using the Remove Device from HA cluster button on the System > HA GUI page. For more information, see Disconnecting a FortiGate.

src-ip, (the default) sessions are distributed by source IP address. All sessions from a source IP address are processed by the same NP7 processor. For hyperscale traffic, src-ip is usually the preferred setting because, when hash-config is set to src-ip, each NP7 processor has the same cgn-resource-quota and the quota is applied to all traffic from a given source address. For more information, see NPU traffic distribution in the Carrier-Grade NAT Architecture Guide.

src-dist-ip, use 2-tupple source and destination IP address hashing. This option is only available on FortiGates with an odd number of NP7 processors. For example, the FortiGate-3500F and 3501F have three NP7 processors, so this option is available for these models. In most cases of FortiGates with an odd number of NP7 processors, src-dist-ip distribution provides the best performance. However, CGNAT resource quotas are distributed differently depending on the hash-config.

5-tuple, to distribute sessions, a hash is created for each session based on the session's source and destination IP address, IP protocol, and source and destination TCP/UDP port. In most cases 5-tuple distribution provides the best performance. However, CGNAT resource quotas are distributed differently depending on the hash-config.

In most cases 2-tuple or 5-tuple distribution provides the best performance but src-ip is the required setting if your FortiGate processes traffic that requires session helpers or application layer gateways (ALGs).

Setting hash-config to src-ip is required to offload traffic that requires session helpers or application layer gateways (ALGs) (for example, FTP, TFTP, SIP, MGCP, H.323, PPTP, L2TP, ICMP Error/IP-options, PMAP, TNS, DCE-RPC, RAS, and RSH). For more information, see ALG/Session Helper Support.

Previous
Next