Fortinet white logo
Fortinet white logo

Hardware Acceleration

FortiGate Rugged 70F fast path architecture

FortiGate Rugged 70F fast path architecture

The FortiGate Rugged 70F includes the SOC4 and uses the SOC4 CPU, NP6XLite processor, and CP9XLite processor. The SOC4 includes an integrated switch fabric (ISF) that connects all of the front panel network interfaces to the NP6XLite processor. All data traffic passes from the data interfaces through the ISF to the NP6XLite processor. All supported traffic passing between any two data interfaces can be offloaded by the NP6XLite processor. Data traffic processed by the CPU takes a dedicated data path through the ISF and the NP6XLite processor to the CPU.

The FortiGate Rugged 70F includes the SOC4 and uses the SOC4 CPU, NP6XLite processor, and CP9XLite processor. The SOC4 ISF connects all of the FortiGate Rugged 70F front panel data interfaces to the NP6XLite processor.

The 3 and 4 interfaces form a copper bypass pair. On the GUI and CLI these interfaces are is named lan3 and lan4.

The FortiGate Rugged 70F features the following front panel interfaces:

  • Four 10/100/1000BASE-T Copper (1-4) connected to the SOC4.
  • Two 10/100/1000BASE-T Copper (WAN1 and WAN2) connected to the SOC4.
  • Two 1GigE SFP interfaces (SFP1 and SFP2) connected to the SOC4.

The SOC4 ISF allows you to use the command config system virtual-switch to create a virtual hardware switch that can include any front panel interface connected to the SOC4.

Note

To add an interface to a hardware switch, its mode must be set to static and the interface can't be used in any other configuration. For example, you can't have a firewall policy that references the interface.

You can use the command diagnose npu np6xlite port-list to display the FortiGate Rugged 70F NP6XLite configuration.

diagnose npu np6xlite port-list 
Chip   XAUI Ports            Max   Cross-chip 
                             Speed offloading 
------ ---- -------          ----- ---------- 
np6xlite_0
       11   sfp1             1000M          NO
       10   sfp2             1000M          NO
       12   wan1             1000M          NO
       13   wan2             1000M          NO
       6    lan1             1000M          NO
       7    lan2             1000M          NO
       8    lan3             1000M          NO
       9    lan4             1000M          NO

Bypass interfaces (3 and 4)

The FortiGate Rugged 70F includes a bypass interface pair, 3 and 4, that provides fail open support. When a FortiGate Rugged 70F experiences a hardware failure or loses power, or when bypass mode is enabled, the bypass interface pair operates in bypass mode. In bypass mode, 3 and 4 are directly connected. Traffic can pass between 3 and 4 bypassing the FortiOS firewall and the NP6XLite processor, but continuing to provide network connectivity.

In bypass mode, the bypass pair acts like a patch cable, failing open and allowing all traffic to pass through. Traffic on the bypass interface that is using VLANs or other network extensions can only continue flowing if the connected network equipment is configured for these features.

The FortiGate Rugged 70F will continue to operate in bypass mode until the failed FortiGate Rugged 70F is replaced, power is restored, or bypass mode is disabled. If power is restored or bypass mode is disabled, the FortiGate Rugged 70F resumes operating as a FortiGate device without interrupting traffic flow. Replacing a failed FortiGate Rugged 70F disrupts traffic as a technician physically replaces the failed FortiGate Rugged 70F with a new one.

Manually enabling bypass mode

You can manually enable bypass mode if the FortiGate Rugged 70F is operating in transparent mode. You can also manually enable bypass mode for a VDOM if 3 and 4 are both connected to the same VDOM operating in transparent mode.

By default, interfaces 3 and 4 (lan3 and lan4) are part of a hardware switch named internal. Before you enable bypass mode, you must enter the following command s to edit the hardware switch and remove lan3 and lan4 from the switch:

config system virtual-switch

edit internal

delete lan3

delete lan4

end

Then you can use the following command to enable bypass mode:

execute bypass-mode enable

This command changes the configuration, so bypass mode will still be enabled if the FortiGate Rugged 70F restarts.

You can use the following command to disable bypass mode:

execute bypass-mode disable

Configuring bypass settings

You can use the following command to configure how bypass operates. To configure these settings, you must first remove the internal4f interface from the internal hardware switch.

config system bypass

set bypass-watchdog {disable | enable}

set poweroff-bypass {disable | enable}

end

bypass-watchdog enable to turn on bypass mode. When bypass mode is turned on, if the bypass watchdog detects a software or hardware failure, bypass mode will be activated.

poweroff-bypass if enabled, traffic will be able to pass between the lan3 and lan4 interfaces if the FortiGate Rugged 70F is powered off.

FortiGate Rugged 70F fast path architecture

FortiGate Rugged 70F fast path architecture

The FortiGate Rugged 70F includes the SOC4 and uses the SOC4 CPU, NP6XLite processor, and CP9XLite processor. The SOC4 includes an integrated switch fabric (ISF) that connects all of the front panel network interfaces to the NP6XLite processor. All data traffic passes from the data interfaces through the ISF to the NP6XLite processor. All supported traffic passing between any two data interfaces can be offloaded by the NP6XLite processor. Data traffic processed by the CPU takes a dedicated data path through the ISF and the NP6XLite processor to the CPU.

The FortiGate Rugged 70F includes the SOC4 and uses the SOC4 CPU, NP6XLite processor, and CP9XLite processor. The SOC4 ISF connects all of the FortiGate Rugged 70F front panel data interfaces to the NP6XLite processor.

The 3 and 4 interfaces form a copper bypass pair. On the GUI and CLI these interfaces are is named lan3 and lan4.

The FortiGate Rugged 70F features the following front panel interfaces:

  • Four 10/100/1000BASE-T Copper (1-4) connected to the SOC4.
  • Two 10/100/1000BASE-T Copper (WAN1 and WAN2) connected to the SOC4.
  • Two 1GigE SFP interfaces (SFP1 and SFP2) connected to the SOC4.

The SOC4 ISF allows you to use the command config system virtual-switch to create a virtual hardware switch that can include any front panel interface connected to the SOC4.

Note

To add an interface to a hardware switch, its mode must be set to static and the interface can't be used in any other configuration. For example, you can't have a firewall policy that references the interface.

You can use the command diagnose npu np6xlite port-list to display the FortiGate Rugged 70F NP6XLite configuration.

diagnose npu np6xlite port-list 
Chip   XAUI Ports            Max   Cross-chip 
                             Speed offloading 
------ ---- -------          ----- ---------- 
np6xlite_0
       11   sfp1             1000M          NO
       10   sfp2             1000M          NO
       12   wan1             1000M          NO
       13   wan2             1000M          NO
       6    lan1             1000M          NO
       7    lan2             1000M          NO
       8    lan3             1000M          NO
       9    lan4             1000M          NO

Bypass interfaces (3 and 4)

The FortiGate Rugged 70F includes a bypass interface pair, 3 and 4, that provides fail open support. When a FortiGate Rugged 70F experiences a hardware failure or loses power, or when bypass mode is enabled, the bypass interface pair operates in bypass mode. In bypass mode, 3 and 4 are directly connected. Traffic can pass between 3 and 4 bypassing the FortiOS firewall and the NP6XLite processor, but continuing to provide network connectivity.

In bypass mode, the bypass pair acts like a patch cable, failing open and allowing all traffic to pass through. Traffic on the bypass interface that is using VLANs or other network extensions can only continue flowing if the connected network equipment is configured for these features.

The FortiGate Rugged 70F will continue to operate in bypass mode until the failed FortiGate Rugged 70F is replaced, power is restored, or bypass mode is disabled. If power is restored or bypass mode is disabled, the FortiGate Rugged 70F resumes operating as a FortiGate device without interrupting traffic flow. Replacing a failed FortiGate Rugged 70F disrupts traffic as a technician physically replaces the failed FortiGate Rugged 70F with a new one.

Manually enabling bypass mode

You can manually enable bypass mode if the FortiGate Rugged 70F is operating in transparent mode. You can also manually enable bypass mode for a VDOM if 3 and 4 are both connected to the same VDOM operating in transparent mode.

By default, interfaces 3 and 4 (lan3 and lan4) are part of a hardware switch named internal. Before you enable bypass mode, you must enter the following command s to edit the hardware switch and remove lan3 and lan4 from the switch:

config system virtual-switch

edit internal

delete lan3

delete lan4

end

Then you can use the following command to enable bypass mode:

execute bypass-mode enable

This command changes the configuration, so bypass mode will still be enabled if the FortiGate Rugged 70F restarts.

You can use the following command to disable bypass mode:

execute bypass-mode disable

Configuring bypass settings

You can use the following command to configure how bypass operates. To configure these settings, you must first remove the internal4f interface from the internal hardware switch.

config system bypass

set bypass-watchdog {disable | enable}

set poweroff-bypass {disable | enable}

end

bypass-watchdog enable to turn on bypass mode. When bypass mode is turned on, if the bypass watchdog detects a software or hardware failure, bypass mode will be activated.

poweroff-bypass if enabled, traffic will be able to pass between the lan3 and lan4 interfaces if the FortiGate Rugged 70F is powered off.