FortiGate 3500F and 3501F fast path architecture
The FortiGate 3500F and 3501F each include three NP7 processors (NP#0, NP#1, and NP#2). All front panel data interfaces (1 to 36) connect to the NP7 processors over the integrated switch fabric. So all supported traffic passing between any two data interfaces can be offloaded.
The FortiGate 3500F and 3501F models feature the following front panel interfaces:
- Two 10/100/1000BASE-T Copper (MGMT1 and MGMT2, not connected to the NP7 processors).
- Eight 10/25 GigE SFP+/SFP28 (HA1, HA2, 1 to 6), interface groups: ha1 ha2 1 2, 3 - 6 (the HA interfaces are not connected to the NP7 processors).
- Twenty-four 10/25 GigE SFP+/SFP28 (7 to 30), interface groups: 7 - 10, 11 - 14, 15 - 18, 19 - 22, 23 - 26 and 27 - 30.
- Six 40/100 GigE QSFP28 (31 to 26).
The FortiGate 3500F and 3501F each include three NP7 processors. All front panel data interfaces and the NP7 processors connect to the integrated switch fabric (ISF). All data traffic passes from the data interfaces through the ISF to the NP7 processors. All supported traffic passing between any two data interfaces can be offloaded by the NP7 processors. Data traffic processed by the CPU takes a dedicated data path through the ISF and an NP7 processor to the CPU.
The MGMT interfaces are not connected to the NP7 processors. Management traffic passes to the CPU over a dedicated management path that is separate from the data path. You can also dedicate separate CPU resources for management traffic to further isolate management processing from data processing (see Dedicated management CPU).
The HA interfaces are also not connected to the NP7 processors. To help provide better HA stability and resiliency, HA traffic uses a dedicated physical control path that provides HA control traffic separation from data traffic processing.
The separation of management and HA traffic from data traffic keeps management and HA traffic from affecting the stability and performance of data traffic processing.
You can use the following command to display the FortiGate 3500F and 3501F NP7 configuration. The command output shows a that all three NP7s are connected to all interfaces.
diagnose npu np7 port-list Front Panel Port: Name Max_speed(Mbps) Dflt_speed(Mbps) NP_group Switch_id SW_port_id SW_port_name -------- --------------- --------------- --------------- --------- ---------- ------------ port1 25000 10000 NP#0-2 0 23 xe2 port2 25000 10000 NP#0-2 0 24 xe3 port3 25000 10000 NP#0-2 0 29 xe4 port4 25000 10000 NP#0-2 0 30 xe5 port5 25000 10000 NP#0-2 0 31 xe6 port6 25000 10000 NP#0-2 0 32 xe7 port7 25000 10000 NP#0-2 0 33 xe8 port8 25000 10000 NP#0-2 0 34 xe9 port9 25000 10000 NP#0-2 0 35 xe10 port10 25000 10000 NP#0-2 0 36 xe11 port11 25000 10000 NP#0-2 0 41 xe12 port12 25000 10000 NP#0-2 0 42 xe13 port13 25000 10000 NP#0-2 0 43 xe14 port14 25000 10000 NP#0-2 0 44 xe15 port15 25000 10000 NP#0-2 0 49 xe16 port16 25000 10000 NP#0-2 0 50 xe17 port17 25000 10000 NP#0-2 0 51 xe18 port18 25000 10000 NP#0-2 0 52 xe19 port19 25000 10000 NP#0-2 0 61 xe24 port20 25000 10000 NP#0-2 0 62 xe25 port21 25000 10000 NP#0-2 0 63 xe26 port22 25000 10000 NP#0-2 0 64 xe27 port23 25000 10000 NP#0-2 0 57 xe20 port24 25000 10000 NP#0-2 0 58 xe21 port25 25000 10000 NP#0-2 0 59 xe22 port26 25000 10000 NP#0-2 0 60 xe23 port27 25000 10000 NP#0-2 0 71 xe29 port28 25000 10000 NP#0-2 0 72 xe30 port29 25000 10000 NP#0-2 0 73 xe31 port30 25000 10000 NP#0-2 0 74 xe32 port31 100000 100000 NP#0-2 0 79 ce4 port32 100000 100000 NP#0-2 0 67 ce3 port33 100000 100000 NP#0-2 0 95 ce6 port34 100000 100000 NP#0-2 0 87 ce5 port35 100000 100000 NP#0-2 0 123 ce10 port36 100000 100000 NP#0-2 0 99 ce7 -------- --------------- --------------- --------------- --------- ---------- ------------ NP Port: Name Switch_id SW_port_id SW_port_name ------ --------- ---------- ------------ np0_0 0 5 ce1 np0_1 0 13 ce2 np1_0 0 127 ce11 np1_1 0 1 ce0 np2_0 0 107 ce8 np2_1 0 115 ce9 ------ --------- ---------- ------------ * Max_speed: Maximum speed, Dflt_speed: Default speed * SW_port_id: Switch port ID, SW_port_name: Switch port name
The command output also shows the maximum and default speeds of each interface.
The integrated switch fabric distributes sessions from the data interfaces to the NP7 processors. The three NP7 processors have a bandwidth capacity of 200Gigabit x 3 = 600 Gigabit. If all interfaces were operating at their maximum bandwidth, the NP7 processors would not be able to offload all the traffic. You can use NPU port mapping to control how sessions are distributed to NP7 processors.
You can add LAGs to improve performance. For details, see Increasing NP7 offloading capacity using link aggregation groups (LAGs).
The FortiGate-3500F and 3501F can be licensed for hyperscale firewall support, see the Hyperscale Firewall Guide.
Interface groups and changing data interface speeds
FortiGate-3500F and 3501F front panel data interfaces are divided into the following groups:
- ha1, ha2, port1, and port2
- port3 - port6
- port7 - port10
- port11 - port14
- port15 - port18
- port19 - port22
- port23 - port26
- port27 - port30
All of the interfaces in a group operate at the same speed. Changing the speed of an interface changes the speeds of all of the interfaces in the same group. For example, if you change the speed of port16 from 10Gbps to 25Gbps the speeds of port15 to port18 are also changed to 25Gbps.
Another example, the default speed of the port15 to port30 interfaces is 10Gbps. If you want to install 25GigE transceivers in port15 to port30 to convert all of these data interfaces to connect to 25Gbps networks, you can enter the following from the CLI:
config system interface
edit port15
set speed 25000full
next
edit port19
set speed 25000full
next
edit port23
set speed 25000full
next
edit port27
set speed 25000full
end
Every time you change a data interface speed, when you enter the end
command, the CLI confirms the range of interfaces affected by the change. For example, if you change the speed of port5 the following message appears:
config system interface
edit port5
set speed 25000full
end
port3-port6 speed will be changed to 25000full due to hardware limit.
Do you want to continue? (y/n)
Configuring NPU port mapping
The default FortiGate-3500F and 3501F port mapping configuration results in sessions passing from front panel data interfaces to the integrated switch fabric. The integrated switch fabric distributes these sessions among the NP7 processors. Each NP7 processor is connected to the switch fabric with a LAG that consists of two 100-Gigabitinterfaces. The integrated switch fabric distributes sessions to the LAGs and each LAG distributes sessions between the two interfaces connected to the NP7 processor.
You can use NPU port mapping to override how data network interface sessions are distributed to each NP7 processor. For example, you can sent up NPU port mapping to send all traffic from a front panel data interface to a specific NP7 processor LAG or even to just one of the interfaces in that LAG.
Use the following command to configure NPU port mapping:
config system npu
config port-npu-map
edit <interface-name>
set npu-group-index <index>
end
<interface-name>
the name of a front panel data interface.
<index>
select different values of <index>
to change how sessions from the selected front panel data interface are handled by the integrated switch fabric. The list of available <index>
options depends on the NP7 configuration of your FortGate. For the FortiGate-3500F or 3501F <index>
can be 0 to 6. Use the ? to see the effect of each <index>
value.
Here are some examples of <index>
values for the FortiGate-3500F and 3501F:
-
0
, assign the front panel data interface toNP#0-1
, the default. Sessions from the front panel data interface are distributed among all three NP7 LAGs. -
2
, assign the front panel data interface to the LAG connected toNP#1
. Sessions from the front panel data interface are sent to the LAG connected to NP#1.
<index>
select different values of <index>
to change how sessions from the selected front panel data interface are handled by the integrated switch fabric. The list of available <index>
options depends on the NP7 configuration of your FortGate. For the FortiGate-3500F or 3501F <index>
can be:
-
0: NP#0-2
, distribute sessions from the front panel data interface among all three NP7 LAGs. -
1: NP#0
, send sessions from the front panel data interface to the LAG connected to NP#0. -
2: NP#1
, send sessions from the front panel data interface to the LAG connected to NP#1. -
3: NP#2
, send sessions from the front panel data interface to the LAG connected to NP#2. -
4: NP#0-1
, distribute sessions from the front panel data interface between the LAG connected to NP#0 and the LAG connected to NP#1. -
5: NP#1-2
, distribute sessions from the front panel data interface between the LAG connected to NP#1 and the LAG connected to NP#2. -
6: NP#0-link0
, send sessions from the front panel data interface tonp0_0
, which is one of the interfaces connected to NP#0. -
7: NP#0-link1
, send sessions from the front panel data interface tonp0_0
, which is one of the interfaces connected to NP#0. -
8: NP#1-link0
, send sessions from the front panel data interface tonp1_0
, which is one of the interfaces connected to NP#1. -
9: NP#1-link1
, send sessions from the front panel data interface tonp1_1
, which is one of the interfaces connected to NP#1. -
10: NP#2-link0
, send sessions from the front panel data interface tonp2_0
, which is one of the interfaces connected to NP#2. -
11: NP#2-link1
, send sessions from the front panel data interface tonp2_1
, which is one of the interfaces connected to NP#2.
For example, use the following syntax to assign the FortiGate-3500F port21 and port22 interfaces to NP#1 and port23 and port24 interfaces to NP#2:
config system npu
config port-npu-map
edit port21
set npu-group-index 2
next
edit port22
set npu-group-index 2
next
edit port23
set npu-group-index 3
next
edit port24
set npu-group-index 3
end
end
You can use the diagnose npu np7 port-list
command to see the current NPU port map configuration. While the FortiGate-3500F or 3501F is processing traffic, you can use the diagnose npu np7 cgmac-stats <npu-id>
command to show how traffic is distributed to the NP7 links.
For example, after making the changes described in the example, the NP_group
column of the diagnose npu np7 port-list
command output for port21 to port 24 shows the new mapping:
diagnose npu np7 port-list Front Panel Port: Name Max_speed(Mbps) Dflt_speed(Mbps) NP_group Switch_id SW_port_id SW_port_name ------ --------------- --------------- --------------- --------- ---------- ------------ . . . port21 100000 100000 NP#1 0 75 ce9 port22 100000 100000 NP#1 0 71 ce8 port23 100000 100000 NP#2 0 83 ce11 port24 100000 100000 NP#2 0 79 ce10 . . .