Fortinet white logo
Fortinet white logo

Hardware Acceleration

FortiGate 900G and 901G fast path architecture

FortiGate 900G and 901G fast path architecture

The FortiGate 900G and 901G models feature the following front panel interfaces:

  • Two 10/100/1000BASE-T RJ45 (HA and MGMT, not connected to the NP7 processor).
  • Sixteen 10/100/1000BASE-T RJ45 (1 to 16).
  • Eight 1 GigE SFP (17 to 24).
  • Four 10/1 GigE SFP+/SFP (X1 to X4) (X1 and X2 are FortiLink interfaces).
  • Four 10/25 GigE SFP+/SFP28 (X5 to X8) ultra low latency (ULL), all ULL interfaces operate at the same speed. ULL interfaces bypass the integrated switch fabric (ISF).

The FortiGate 900G and 901G each include one NP7 processor. Front panel data interfaces 1 to 24 and X1 to X4 and one of the NP7 processor interfaces connect to the integrated switch fabric (ISF). All data traffic passes from these data interfaces through the ISF to the NP7 processor. All supported traffic passing between any two of these data interfaces can be offloaded by the NP7 processor. Data traffic processed by the CPU takes a dedicated data path through the ISF and the NP7 processor to the CPU.

Front panel data interfaces X5 to X8 are connected directly to the other NP7 processor interfaces instead of the ISF. Since the ISF introduces latency, interfaces X5 to X8 are ultra low latency interfaces (ULL), and NP7 traffic entering and exiting the FortiGate through ULL interfaces experiences lower latency than if it were passing through interfaces that are connected to the ISF. To achieve low latency, traffic must enter and exit the FortiGate through the X5 to X8 interfaces. If traffic enters or exits through other data interfaces, it is subject to the latency resulting from passing through the ISF.

Note

The FortiGate-900G and 901G do not support configuring NPU port mapping, because only one of the NP7 interfaces is connected to the ISF.

The MGMT interface is not connected to the NP7 processor. Management traffic passes to the CPU over a dedicated management path that is separate from the data path. You can also dedicate separate CPU resources for management traffic to further isolate management processing from data processing (see Improving GUI and CLI responsiveness (dedicated management CPU)).

The HA interface is also not connected to the NP7 processor. To help provide better HA stability and resiliency, HA traffic uses a dedicated physical control path that provides HA control traffic separation from data traffic processing.

The separation of management and HA traffic from data traffic keeps management and HA traffic from affecting the stability and performance of data traffic processing.

You can use the following command to display the FortiGate 900G or 901G NP7 configuration.

diagnose npu np7 port-list
Front Panel Port:
Name     Max_speed(Mbps) Dflt_speed(Mbps) NP_group        Switch_id SW_port_id SW_port_name 
-------- --------------- ---------------  --------------- --------- ---------- ------------ 
port1    1000            1000             n/a             0         1                       
port2    1000            1000             n/a             0         0                       
port3    1000            1000             n/a             0         3                       
port4    1000            1000             n/a             0         2                       
port5    1000            1000             n/a             0         5                       
port6    1000            1000             n/a             0         4                       
port7    1000            1000             n/a             0         7                       
port8    1000            1000             n/a             0         6                       
port9    1000            1000             n/a             0         9                       
port10   1000            1000             n/a             0         8                       
port11   1000            1000             n/a             0         11                      
port12   1000            1000             n/a             0         10                      
port13   1000            1000             n/a             0         13                      
port14   1000            1000             n/a             0         12                      
port15   1000            1000             n/a             0         15                      
port16   1000            1000             n/a             0         14                      
port17   1000            1000             n/a             0         17                      
port18   1000            1000             n/a             0         16                      
port19   1000            1000             n/a             0         19                      
port20   1000            1000             n/a             0         18                      
port21   1000            1000             n/a             0         25                      
port22   1000            1000             n/a             0         24                      
port23   1000            1000             n/a             0         27                      
port24   1000            1000             n/a             0         26                      
x1       10000           10000            n/a             0         40                      
x2       10000           10000            n/a             0         32                      
x3       10000           10000            n/a             0         49                      
x4       10000           10000            n/a             0         48                      
x5       25000           10000            n/a             n/a       n/a        n/a          
x6       25000           10000            n/a             n/a       n/a        n/a          
x7       25000           10000            n/a             n/a       n/a        n/a          
x8       25000           10000            n/a             n/a       n/a        n/a          
-------- --------------- ---------------  --------------- --------- ---------- ------------ 

NP Port:
Name   Switch_id SW_port_id SW_port_name 
------ --------- ---------- ------------ 
np0_0  0         50                      
------ --------- ---------- ------------ 
* Max_speed: Maximum speed, Dflt_speed: Default speed
* SW_port_id: Switch port ID, SW_port_name: Switch port name

The command output also shows the maximum speeds of each interface. Also, that command output shows that the x5 to x8 interfaces are not connected to the internal switch fabric.

The NP7 processor has a bandwidth capacity of 200 Gigabits. You can see from the command output that if all interfaces were operating at their maximum bandwidth the NP7 processor would not be able to offload all the traffic.

Changing the speed of the X5 to X8 ULL interfaces

By default, the FortiGate-900G and 901G front panel ULL data interfaces X5 to X8 operate as 10G SFP+ interfaces. You can use the following command to configure them to operate as 25G SPF28 interfaces:

config system npu

set ull-port-mode 25G

end

Entering this command restarts the FortiGate, so the speed of the ULL interfaces should be changed during a maintenance window. This command changes the speeds of all of the ULL interfaces. All of the ULL interfaces operate at the same speed.

You can use the following command to change the ULL interfaces back to the default setting as 10G SFP+ interfaces:

config system npu

set ull-port-mode 10G

end

Entering this command also restarts the FortiGate.

FortiGate 900G and 901G fast path architecture

FortiGate 900G and 901G fast path architecture

The FortiGate 900G and 901G models feature the following front panel interfaces:

  • Two 10/100/1000BASE-T RJ45 (HA and MGMT, not connected to the NP7 processor).
  • Sixteen 10/100/1000BASE-T RJ45 (1 to 16).
  • Eight 1 GigE SFP (17 to 24).
  • Four 10/1 GigE SFP+/SFP (X1 to X4) (X1 and X2 are FortiLink interfaces).
  • Four 10/25 GigE SFP+/SFP28 (X5 to X8) ultra low latency (ULL), all ULL interfaces operate at the same speed. ULL interfaces bypass the integrated switch fabric (ISF).

The FortiGate 900G and 901G each include one NP7 processor. Front panel data interfaces 1 to 24 and X1 to X4 and one of the NP7 processor interfaces connect to the integrated switch fabric (ISF). All data traffic passes from these data interfaces through the ISF to the NP7 processor. All supported traffic passing between any two of these data interfaces can be offloaded by the NP7 processor. Data traffic processed by the CPU takes a dedicated data path through the ISF and the NP7 processor to the CPU.

Front panel data interfaces X5 to X8 are connected directly to the other NP7 processor interfaces instead of the ISF. Since the ISF introduces latency, interfaces X5 to X8 are ultra low latency interfaces (ULL), and NP7 traffic entering and exiting the FortiGate through ULL interfaces experiences lower latency than if it were passing through interfaces that are connected to the ISF. To achieve low latency, traffic must enter and exit the FortiGate through the X5 to X8 interfaces. If traffic enters or exits through other data interfaces, it is subject to the latency resulting from passing through the ISF.

Note

The FortiGate-900G and 901G do not support configuring NPU port mapping, because only one of the NP7 interfaces is connected to the ISF.

The MGMT interface is not connected to the NP7 processor. Management traffic passes to the CPU over a dedicated management path that is separate from the data path. You can also dedicate separate CPU resources for management traffic to further isolate management processing from data processing (see Improving GUI and CLI responsiveness (dedicated management CPU)).

The HA interface is also not connected to the NP7 processor. To help provide better HA stability and resiliency, HA traffic uses a dedicated physical control path that provides HA control traffic separation from data traffic processing.

The separation of management and HA traffic from data traffic keeps management and HA traffic from affecting the stability and performance of data traffic processing.

You can use the following command to display the FortiGate 900G or 901G NP7 configuration.

diagnose npu np7 port-list
Front Panel Port:
Name     Max_speed(Mbps) Dflt_speed(Mbps) NP_group        Switch_id SW_port_id SW_port_name 
-------- --------------- ---------------  --------------- --------- ---------- ------------ 
port1    1000            1000             n/a             0         1                       
port2    1000            1000             n/a             0         0                       
port3    1000            1000             n/a             0         3                       
port4    1000            1000             n/a             0         2                       
port5    1000            1000             n/a             0         5                       
port6    1000            1000             n/a             0         4                       
port7    1000            1000             n/a             0         7                       
port8    1000            1000             n/a             0         6                       
port9    1000            1000             n/a             0         9                       
port10   1000            1000             n/a             0         8                       
port11   1000            1000             n/a             0         11                      
port12   1000            1000             n/a             0         10                      
port13   1000            1000             n/a             0         13                      
port14   1000            1000             n/a             0         12                      
port15   1000            1000             n/a             0         15                      
port16   1000            1000             n/a             0         14                      
port17   1000            1000             n/a             0         17                      
port18   1000            1000             n/a             0         16                      
port19   1000            1000             n/a             0         19                      
port20   1000            1000             n/a             0         18                      
port21   1000            1000             n/a             0         25                      
port22   1000            1000             n/a             0         24                      
port23   1000            1000             n/a             0         27                      
port24   1000            1000             n/a             0         26                      
x1       10000           10000            n/a             0         40                      
x2       10000           10000            n/a             0         32                      
x3       10000           10000            n/a             0         49                      
x4       10000           10000            n/a             0         48                      
x5       25000           10000            n/a             n/a       n/a        n/a          
x6       25000           10000            n/a             n/a       n/a        n/a          
x7       25000           10000            n/a             n/a       n/a        n/a          
x8       25000           10000            n/a             n/a       n/a        n/a          
-------- --------------- ---------------  --------------- --------- ---------- ------------ 

NP Port:
Name   Switch_id SW_port_id SW_port_name 
------ --------- ---------- ------------ 
np0_0  0         50                      
------ --------- ---------- ------------ 
* Max_speed: Maximum speed, Dflt_speed: Default speed
* SW_port_id: Switch port ID, SW_port_name: Switch port name

The command output also shows the maximum speeds of each interface. Also, that command output shows that the x5 to x8 interfaces are not connected to the internal switch fabric.

The NP7 processor has a bandwidth capacity of 200 Gigabits. You can see from the command output that if all interfaces were operating at their maximum bandwidth the NP7 processor would not be able to offload all the traffic.

Changing the speed of the X5 to X8 ULL interfaces

By default, the FortiGate-900G and 901G front panel ULL data interfaces X5 to X8 operate as 10G SFP+ interfaces. You can use the following command to configure them to operate as 25G SPF28 interfaces:

config system npu

set ull-port-mode 25G

end

Entering this command restarts the FortiGate, so the speed of the ULL interfaces should be changed during a maintenance window. This command changes the speeds of all of the ULL interfaces. All of the ULL interfaces operate at the same speed.

You can use the following command to change the ULL interfaces back to the default setting as 10G SFP+ interfaces:

config system npu

set ull-port-mode 10G

end

Entering this command also restarts the FortiGate.