FortiGate 3960E and 3980E support for high throughput traffic streams
FortiGate devices with multiple NP6 processors support high throughput by distributing sessions to multiple NP6 processors. However, default ISF hash-based load balancing has some limitations for single traffic streams or flows that use more than 10Gbps of bandwidth. Normally, the ISF sends all of the packets in a single traffic stream over the same 10Gbps interface to an NP6 processor. If a single traffic stream is larger than 10Gbps, packets are also sent to 10Gbps interfaces that may be connected to the same NP6 or to other NP6s. Because the ISF uses hash-based load balancing, this can lead to packets being processed out of order and other potential drawbacks.
You can configure the FortiGate 3960E and 3980E to support single traffic flows that are larger than 10Gbps. To enable this feature, you can assign interfaces to round robin groups using the following configuration. If you assign an interface to a Round Robin group, the ISF uses round-robin load balancing to distribute incoming traffic from one stream to multiple NP6 processors. Round-robin load balancing prevents the potential problems associated with hash-based load balancing of packets from a single stream.
config system npu
config port-npu-map
edit <interface>
set npu-group-index <npu-group>
end
end
<interface> is the name of an interface that receives or sends large traffic streams.
<npu-group>
is the number of an NPU group.To enable round-robin load balancing select a round-robin NPU group. Use ?
to see the list of NPU groups. The output shows which groups support round robin load balancing. For example, the following output shows that NPU group 30 supports round robin load balancing to NP6 0 to 7.
set npu-group-index ? index: npu group 0 : NP#0-7 2 : NP#0 3 : NP#1 4 : NP#2 5 : NP#3 6 : NP#4 7 : NP#5 8 : NP#6 9 : NP#7 10 : NP#0-1 11 : NP#2-3 12 : NP#4-5 13 : NP#6-7 14 : NP#0-3 15 : NP#4-7 30 : NP#0-7 - Round Robin
For example, use the following command to assign port1, port2, port17 and port18 to NPU group 30.
config system npu
config port-npu-map
edit port1
set npu-group-index 30
next
edit port2
set npu-group-index 30
next
edit port7
set npu-group-index 30
next
edit port18
set npu-group-index 30
next
end
end