Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

Hardware Acceleration

FortiGate 3700F and 3701F fast path architecture

The FortiGate 3700F and 3701F each include three NP7 processors (NP#0, NP#1, and NP#2). Front panel data interfaces 1 to 4 are ultra low latency (ULL) interfaces the connect directly to NP#0. All other front panel data interfaces (5 to 26) connect to all three of the NP7 processors over the integrated switch fabric.

The FortiGate 3700F and 3701F models feature the following front panel interfaces:

  • Two 10/100/1000BASE-T Copper (MGMT1 and MGMT2, not connected to the NP7 processors).
  • Twenty 1/10/25/50 GigE SFP56 (HA1, HA2, 5 to 22) the HA interfaces are not connected to the NP7 processors).
  • Four 10/25 GigE SFP+/SFP28 (1 to 4) ultra low latency (ULL), all ULL interfaces operate at the same speed.
  • Four 400/200/100/40 GigE QSFP-DD (23 to 26).

The FortiGate 3700F and 3701F each include three NP7 processors. Front panel data interfaces 7 to 26 and the NP7 processors connect to the integrated switch fabric (ISF). All data traffic passes from the data interfaces through the ISF to the NP7 processors. All supported traffic passing between any two of these data interfaces can be offloaded by the NP7 processors. Data traffic processed by the CPU takes a dedicated data path through the ISF and an NP7 processor to the CPU.

Front panel data interfaces 1 to 4 are connected directly to NP#0 (using the NP7 interface named NP#0-link1) instead of the ISF. Since the ISF introduces latency, interfaces 1 to 4 are ultra low latency interfaces (ULL), and NP7 traffic entering and exiting the FortiGate through these interfaces experiences lower latency than if it were passing through interfaces that are connected to the ISF. To achieve low latency, traffic must enter and exit the FortiGate through the 1 to 4 interfaces. If traffic enters or exits through other data interfaces, it is subject to the latency resulting from passing through the ISF.

The MGMT interfaces are not connected to the NP7 processors. Management traffic passes to the CPU over a dedicated management path that is separate from the data path. You can also dedicate separate CPU resources for management traffic to further isolate management processing from data processing (see Dedicated management CPU).

The HA interfaces are also not connected to the NP7 processors. To help provide better HA stability and resiliency, HA traffic uses a dedicated physical control path that provides HA control traffic separation from data traffic processing.

The separation of management and HA traffic from data traffic keeps management and HA traffic from affecting the stability and performance of data traffic processing.

You can use the following command to display the FortiGate 3700F and 3701F NP7 configuration. The command output shows that the port1 to port4 interfaces are connected to NP#0. The command output also shows that the port5 to port26 interfaces are connected to all three NP7s.

diagnose npu np7 port-list
Front Panel Port:
Name     Max_speed(Mbps) Dflt_speed(Mbps) NP_group        Switch_id SW_port_id SW_port_name 
-------- --------------- ---------------  --------------- --------- ---------- ------------ 
port1    25000           10000            NP#0            n/a       n/a        n/a          
port2    25000           10000            NP#0            n/a       n/a        n/a          
port3    25000           10000            NP#0            n/a       n/a        n/a          
port4    25000           10000            NP#0            n/a       n/a        n/a          
port5    50000           50000            NP#0-2          0         73                      
port6    50000           50000            NP#0-2          0         72                      
port7    50000           50000            NP#0-2          0         77                      
port8    50000           50000            NP#0-2          0         76                      
port9    50000           50000            NP#0-2          0         79                      
port10   50000           50000            NP#0-2          0         78                      
port11   50000           50000            NP#0-2          0         81                      
port12   50000           50000            NP#0-2          0         80                      
port13   50000           50000            NP#0-2          0         83                      
port14   50000           50000            NP#0-2          0         82                      
port15   50000           50000            NP#0-2          0         1                       
port16   50000           50000            NP#0-2          0         0                       
port17   50000           50000            NP#0-2          0         3                       
port18   50000           50000            NP#0-2          0         2                       
port19   50000           50000            NP#0-2          0         5                       
port20   50000           50000            NP#0-2          0         4                       
port21   50000           50000            NP#0-2          0         7                       
port22   50000           50000            NP#0-2          0         6                       
port23   400000          400000           NP#0-2          0         8                       
port24   400000          400000           NP#0-2          0         16                      
port25   400000          400000           NP#0-2          0         24                      
port26   400000          400000           NP#0-2          0         32                      
-------- --------------- ---------------  --------------- --------- ---------- ------------ 

NP Port:
Name   Switch_id SW_port_id SW_port_name 
------ --------- ---------- ------------ 
np0_0  0         68                      
np1_0  0         64                      
np1_1  0         56                      
np2_0  0         48                      
np2_1  0         52                      
------ --------- ---------- ------------ 
* Max_speed: Maximum speed, Dflt_speed: Default speed
* SW_port_id: Switch port ID, SW_port_name: Switch port name

The command output also shows the maximum and default speeds of each interface.

The integrated switch fabric distributes sessions from the data interfaces to the NP7 processors. The three NP7 processors have a bandwidth capacity of 200Gigabit x 3 = 600 Gigabit. If all interfaces were operating at their maximum bandwidth, the NP7 processors would not be able to offload all the traffic. You can use NPU port mapping to control how sessions are distributed to NP7 processors.

You can add LAGs to improve performance. For details, see Increasing NP7 offloading capacity using link aggregation groups (LAGs).

Changing the speed of the 1 to 4 ULL interfaces

By default, the FortiGate-3700F and 3701F front panel ULL data interfaces 1 to 4 operate as 10G SFP+ interfaces. You can use the following command to configure them to operate as 25G SPF28 interfaces:

config system npu

set ull-port-mode 25G

end

Entering this command restarts the FortiGate, so the speed of the ULL interfaces should be changed during a maintenance window. This command changes the speeds of all of the ULL interfaces. All of the ULL interfaces operate at the same speed.

You can use the following command to change the ULL interfaces back to the default setting as 10G SFP+ interfaces:

config system npu

set ull-port-mode 10G

end

Entering this command also restarts the FortiGate.

When the speed of the ULL interfaces is set to 25G, the output of the diagnose npu np7 port-list command changes to the following:

diagnose npu np7 port-list
Front Panel Port:
Name     Max_speed(Mbps) Dflt_speed(Mbps) NP_group        Switch_id SW_port_id SW_port_name 
-------- --------------- ---------------  --------------- --------- ---------- ------------ 
port1    25000           25000            NP#0            n/a       n/a        n/a          
port2    25000           25000            NP#0            n/a       n/a        n/a          
port3    25000           25000            NP#0            n/a       n/a        n/a          
port4    25000           25000            NP#0            n/a       n/a        n/a          
port5    50000           50000            NP#0-2          0         73                      
port6    50000           50000            NP#0-2          0         72                      
port7    50000           50000            NP#0-2          0         77                      
port8    50000           50000            NP#0-2          0         76                      
port9    50000           50000            NP#0-2          0         79                      
port10   50000           50000            NP#0-2          0         78                      
port11   50000           50000            NP#0-2          0         81                      
port12   50000           50000            NP#0-2          0         80                      
port13   50000           50000            NP#0-2          0         83                      
port14   50000           50000            NP#0-2          0         82                      
port15   50000           50000            NP#0-2          0         1                       
port16   50000           50000            NP#0-2          0         0                       
port17   50000           50000            NP#0-2          0         3                       
port18   50000           50000            NP#0-2          0         2                       
port19   50000           50000            NP#0-2          0         5                       
port20   50000           50000            NP#0-2          0         4                       
port21   50000           50000            NP#0-2          0         7                       
port22   50000           50000            NP#0-2          0         6                       
port23   400000          400000           NP#0-2          0         8                       
port24   400000          400000           NP#0-2          0         16                      
port25   400000          400000           NP#0-2          0         24                      
port26   400000          400000           NP#0-2          0         32                      
-------- --------------- ---------------  --------------- --------- ---------- ------------ 

NP Port:
Name   Switch_id SW_port_id SW_port_name 
------ --------- ---------- ------------ 
np0_0  0         68                      
np1_0  0         64                      
np1_1  0         56                      
np2_0  0         48                      
np2_1  0         52                      
------ --------- ---------- ------------ 
* Max_speed: Maximum speed, Dflt_speed: Default speed
* SW_port_id: Switch port ID, SW_port_name: Switch port name

Configuring NPU port mapping

The default FortiGate-3700F and 3701F port mapping configuration results in sessions passing from front panel data interfaces to the integrated switch fabric. The integrated switch fabric distributes these sessions among the NP7 processors. Each NP7 processor is connected to the switch fabric with a LAG that consists of two 100-Gigabitinterfaces. The integrated switch fabric distributes sessions to the LAGs and each LAG distributes sessions between the two interfaces connected to the NP7 processor.

You can use NPU port mapping to override how data network interface sessions are distributed to each NP7 processor. For example, you can sent up NPU port mapping to send all traffic from a front panel data interface to a specific NP7 processor LAG or even to just one of the interfaces in that LAG.

Use the following command to configure NPU port mapping:

config system npu

config port-npu-map

edit <interface-name>

set npu-group-index <index>

end

<interface-name> the name of a front panel data interface.

<index> select different values of <index> to change how sessions from the selected front panel data interface are handled by the integrated switch fabric. The list of available <index> options depends on the NP7 configuration of your FortGate. For the FortiGate-3700F or 3701F <index> can be:

Note

You cannot configure FortiGate-3700F or 3701F port mapping to use the NP#0-link1 interface because this interface is used for ULL connections to front panel interfaces 1 to 4.

  • 0: NP#0-2, distribute sessions from the front panel data interface among all three NP7 LAGs.

  • 1: NP#0, send sessions from the front panel data interface to the LAG connected to NP#0.

  • 2: NP#1, send sessions from the front panel data interface to the LAG connected to NP#1.

  • 3: NP#2, send sessions from the front panel data interface to the LAG connected to NP#2.

  • 4: NP#0-1, distribute sessions from the front panel data interface between the LAG connected to NP#0 and the LAG connected to NP#1.

  • 5: NP#1-2, distribute sessions from the front panel data interface between the LAG connected to NP#1 and the LAG connected to NP#2.

  • 6: NP#0-link0, send sessions from the front panel data interface to np0_0, which is one of the interfaces connected to NP#0.

  • 7: NP#1-link0, send sessions from the front panel data interface to np1_0, which is one of the interfaces connected to NP#1.

  • 8: NP#1-link1, send sessions from the front panel data interface to np1_1, which is one of the interfaces connected to NP#1.

  • 9: NP#2-link0, send sessions from the front panel data interface to np2_0, which is one of the interfaces connected to NP#2.

  • 10: NP#2-link1, send sessions from the front panel data interface to np2_1, which is one of the interfaces connected to NP#2.

For example, use the following syntax to assign the FortiGate-3700F port19 and port20 interfaces to the LAG connected to NP#1 and port21 and port22 interfaces to the LAG connected to NP#2:

config system npu

config port-npu-map

edit port19

set npu-group-index 2

next

edit port20

set npu-group-index 2

next

edit port21

set npu-group-index 3

next

edit port22

set npu-group-index 3

end

end

You can use the diagnose npu np7 port-list command to see the current NPU port map configuration. While the FortiGate-3700F or 3701F is processing traffic, you can use the diagnose npu np7 cgmac-stats <npu-id> command to show how traffic is distributed to the NP7 links.

For example, after making the changes described in the example, the NP_group column of the diagnose npu np7 port-list command output for port19 to port22 shows the new mapping:

diagnose npu np7 port-list
Front Panel Port:
Name     Max_speed(Mbps) Dflt_speed(Mbps) NP_group        Switch_id SW_port_id SW_port_name 
-------- --------------- ---------------  --------------- --------- ---------- ------------ 
.          
.          
.          
port19   50000           50000            NP#1            0         5                       
port20   50000           50000            NP#1            0         4                       
port21   50000           50000            NP#2            0         7                       
port22   50000           50000            NP#2            0         6                
.
.
.

FortiGate 3700F and 3701F fast path architecture

The FortiGate 3700F and 3701F each include three NP7 processors (NP#0, NP#1, and NP#2). Front panel data interfaces 1 to 4 are ultra low latency (ULL) interfaces the connect directly to NP#0. All other front panel data interfaces (5 to 26) connect to all three of the NP7 processors over the integrated switch fabric.

The FortiGate 3700F and 3701F models feature the following front panel interfaces:

  • Two 10/100/1000BASE-T Copper (MGMT1 and MGMT2, not connected to the NP7 processors).
  • Twenty 1/10/25/50 GigE SFP56 (HA1, HA2, 5 to 22) the HA interfaces are not connected to the NP7 processors).
  • Four 10/25 GigE SFP+/SFP28 (1 to 4) ultra low latency (ULL), all ULL interfaces operate at the same speed.
  • Four 400/200/100/40 GigE QSFP-DD (23 to 26).

The FortiGate 3700F and 3701F each include three NP7 processors. Front panel data interfaces 7 to 26 and the NP7 processors connect to the integrated switch fabric (ISF). All data traffic passes from the data interfaces through the ISF to the NP7 processors. All supported traffic passing between any two of these data interfaces can be offloaded by the NP7 processors. Data traffic processed by the CPU takes a dedicated data path through the ISF and an NP7 processor to the CPU.

Front panel data interfaces 1 to 4 are connected directly to NP#0 (using the NP7 interface named NP#0-link1) instead of the ISF. Since the ISF introduces latency, interfaces 1 to 4 are ultra low latency interfaces (ULL), and NP7 traffic entering and exiting the FortiGate through these interfaces experiences lower latency than if it were passing through interfaces that are connected to the ISF. To achieve low latency, traffic must enter and exit the FortiGate through the 1 to 4 interfaces. If traffic enters or exits through other data interfaces, it is subject to the latency resulting from passing through the ISF.

The MGMT interfaces are not connected to the NP7 processors. Management traffic passes to the CPU over a dedicated management path that is separate from the data path. You can also dedicate separate CPU resources for management traffic to further isolate management processing from data processing (see Dedicated management CPU).

The HA interfaces are also not connected to the NP7 processors. To help provide better HA stability and resiliency, HA traffic uses a dedicated physical control path that provides HA control traffic separation from data traffic processing.

The separation of management and HA traffic from data traffic keeps management and HA traffic from affecting the stability and performance of data traffic processing.

You can use the following command to display the FortiGate 3700F and 3701F NP7 configuration. The command output shows that the port1 to port4 interfaces are connected to NP#0. The command output also shows that the port5 to port26 interfaces are connected to all three NP7s.

diagnose npu np7 port-list
Front Panel Port:
Name     Max_speed(Mbps) Dflt_speed(Mbps) NP_group        Switch_id SW_port_id SW_port_name 
-------- --------------- ---------------  --------------- --------- ---------- ------------ 
port1    25000           10000            NP#0            n/a       n/a        n/a          
port2    25000           10000            NP#0            n/a       n/a        n/a          
port3    25000           10000            NP#0            n/a       n/a        n/a          
port4    25000           10000            NP#0            n/a       n/a        n/a          
port5    50000           50000            NP#0-2          0         73                      
port6    50000           50000            NP#0-2          0         72                      
port7    50000           50000            NP#0-2          0         77                      
port8    50000           50000            NP#0-2          0         76                      
port9    50000           50000            NP#0-2          0         79                      
port10   50000           50000            NP#0-2          0         78                      
port11   50000           50000            NP#0-2          0         81                      
port12   50000           50000            NP#0-2          0         80                      
port13   50000           50000            NP#0-2          0         83                      
port14   50000           50000            NP#0-2          0         82                      
port15   50000           50000            NP#0-2          0         1                       
port16   50000           50000            NP#0-2          0         0                       
port17   50000           50000            NP#0-2          0         3                       
port18   50000           50000            NP#0-2          0         2                       
port19   50000           50000            NP#0-2          0         5                       
port20   50000           50000            NP#0-2          0         4                       
port21   50000           50000            NP#0-2          0         7                       
port22   50000           50000            NP#0-2          0         6                       
port23   400000          400000           NP#0-2          0         8                       
port24   400000          400000           NP#0-2          0         16                      
port25   400000          400000           NP#0-2          0         24                      
port26   400000          400000           NP#0-2          0         32                      
-------- --------------- ---------------  --------------- --------- ---------- ------------ 

NP Port:
Name   Switch_id SW_port_id SW_port_name 
------ --------- ---------- ------------ 
np0_0  0         68                      
np1_0  0         64                      
np1_1  0         56                      
np2_0  0         48                      
np2_1  0         52                      
------ --------- ---------- ------------ 
* Max_speed: Maximum speed, Dflt_speed: Default speed
* SW_port_id: Switch port ID, SW_port_name: Switch port name

The command output also shows the maximum and default speeds of each interface.

The integrated switch fabric distributes sessions from the data interfaces to the NP7 processors. The three NP7 processors have a bandwidth capacity of 200Gigabit x 3 = 600 Gigabit. If all interfaces were operating at their maximum bandwidth, the NP7 processors would not be able to offload all the traffic. You can use NPU port mapping to control how sessions are distributed to NP7 processors.

You can add LAGs to improve performance. For details, see Increasing NP7 offloading capacity using link aggregation groups (LAGs).

Changing the speed of the 1 to 4 ULL interfaces

By default, the FortiGate-3700F and 3701F front panel ULL data interfaces 1 to 4 operate as 10G SFP+ interfaces. You can use the following command to configure them to operate as 25G SPF28 interfaces:

config system npu

set ull-port-mode 25G

end

Entering this command restarts the FortiGate, so the speed of the ULL interfaces should be changed during a maintenance window. This command changes the speeds of all of the ULL interfaces. All of the ULL interfaces operate at the same speed.

You can use the following command to change the ULL interfaces back to the default setting as 10G SFP+ interfaces:

config system npu

set ull-port-mode 10G

end

Entering this command also restarts the FortiGate.

When the speed of the ULL interfaces is set to 25G, the output of the diagnose npu np7 port-list command changes to the following:

diagnose npu np7 port-list
Front Panel Port:
Name     Max_speed(Mbps) Dflt_speed(Mbps) NP_group        Switch_id SW_port_id SW_port_name 
-------- --------------- ---------------  --------------- --------- ---------- ------------ 
port1    25000           25000            NP#0            n/a       n/a        n/a          
port2    25000           25000            NP#0            n/a       n/a        n/a          
port3    25000           25000            NP#0            n/a       n/a        n/a          
port4    25000           25000            NP#0            n/a       n/a        n/a          
port5    50000           50000            NP#0-2          0         73                      
port6    50000           50000            NP#0-2          0         72                      
port7    50000           50000            NP#0-2          0         77                      
port8    50000           50000            NP#0-2          0         76                      
port9    50000           50000            NP#0-2          0         79                      
port10   50000           50000            NP#0-2          0         78                      
port11   50000           50000            NP#0-2          0         81                      
port12   50000           50000            NP#0-2          0         80                      
port13   50000           50000            NP#0-2          0         83                      
port14   50000           50000            NP#0-2          0         82                      
port15   50000           50000            NP#0-2          0         1                       
port16   50000           50000            NP#0-2          0         0                       
port17   50000           50000            NP#0-2          0         3                       
port18   50000           50000            NP#0-2          0         2                       
port19   50000           50000            NP#0-2          0         5                       
port20   50000           50000            NP#0-2          0         4                       
port21   50000           50000            NP#0-2          0         7                       
port22   50000           50000            NP#0-2          0         6                       
port23   400000          400000           NP#0-2          0         8                       
port24   400000          400000           NP#0-2          0         16                      
port25   400000          400000           NP#0-2          0         24                      
port26   400000          400000           NP#0-2          0         32                      
-------- --------------- ---------------  --------------- --------- ---------- ------------ 

NP Port:
Name   Switch_id SW_port_id SW_port_name 
------ --------- ---------- ------------ 
np0_0  0         68                      
np1_0  0         64                      
np1_1  0         56                      
np2_0  0         48                      
np2_1  0         52                      
------ --------- ---------- ------------ 
* Max_speed: Maximum speed, Dflt_speed: Default speed
* SW_port_id: Switch port ID, SW_port_name: Switch port name

Configuring NPU port mapping

The default FortiGate-3700F and 3701F port mapping configuration results in sessions passing from front panel data interfaces to the integrated switch fabric. The integrated switch fabric distributes these sessions among the NP7 processors. Each NP7 processor is connected to the switch fabric with a LAG that consists of two 100-Gigabitinterfaces. The integrated switch fabric distributes sessions to the LAGs and each LAG distributes sessions between the two interfaces connected to the NP7 processor.

You can use NPU port mapping to override how data network interface sessions are distributed to each NP7 processor. For example, you can sent up NPU port mapping to send all traffic from a front panel data interface to a specific NP7 processor LAG or even to just one of the interfaces in that LAG.

Use the following command to configure NPU port mapping:

config system npu

config port-npu-map

edit <interface-name>

set npu-group-index <index>

end

<interface-name> the name of a front panel data interface.

<index> select different values of <index> to change how sessions from the selected front panel data interface are handled by the integrated switch fabric. The list of available <index> options depends on the NP7 configuration of your FortGate. For the FortiGate-3700F or 3701F <index> can be:

Note

You cannot configure FortiGate-3700F or 3701F port mapping to use the NP#0-link1 interface because this interface is used for ULL connections to front panel interfaces 1 to 4.

  • 0: NP#0-2, distribute sessions from the front panel data interface among all three NP7 LAGs.

  • 1: NP#0, send sessions from the front panel data interface to the LAG connected to NP#0.

  • 2: NP#1, send sessions from the front panel data interface to the LAG connected to NP#1.

  • 3: NP#2, send sessions from the front panel data interface to the LAG connected to NP#2.

  • 4: NP#0-1, distribute sessions from the front panel data interface between the LAG connected to NP#0 and the LAG connected to NP#1.

  • 5: NP#1-2, distribute sessions from the front panel data interface between the LAG connected to NP#1 and the LAG connected to NP#2.

  • 6: NP#0-link0, send sessions from the front panel data interface to np0_0, which is one of the interfaces connected to NP#0.

  • 7: NP#1-link0, send sessions from the front panel data interface to np1_0, which is one of the interfaces connected to NP#1.

  • 8: NP#1-link1, send sessions from the front panel data interface to np1_1, which is one of the interfaces connected to NP#1.

  • 9: NP#2-link0, send sessions from the front panel data interface to np2_0, which is one of the interfaces connected to NP#2.

  • 10: NP#2-link1, send sessions from the front panel data interface to np2_1, which is one of the interfaces connected to NP#2.

For example, use the following syntax to assign the FortiGate-3700F port19 and port20 interfaces to the LAG connected to NP#1 and port21 and port22 interfaces to the LAG connected to NP#2:

config system npu

config port-npu-map

edit port19

set npu-group-index 2

next

edit port20

set npu-group-index 2

next

edit port21

set npu-group-index 3

next

edit port22

set npu-group-index 3

end

end

You can use the diagnose npu np7 port-list command to see the current NPU port map configuration. While the FortiGate-3700F or 3701F is processing traffic, you can use the diagnose npu np7 cgmac-stats <npu-id> command to show how traffic is distributed to the NP7 links.

For example, after making the changes described in the example, the NP_group column of the diagnose npu np7 port-list command output for port19 to port22 shows the new mapping:

diagnose npu np7 port-list
Front Panel Port:
Name     Max_speed(Mbps) Dflt_speed(Mbps) NP_group        Switch_id SW_port_id SW_port_name 
-------- --------------- ---------------  --------------- --------- ---------- ------------ 
.          
.          
.          
port19   50000           50000            NP#1            0         5                       
port20   50000           50000            NP#1            0         4                       
port21   50000           50000            NP#2            0         7                       
port22   50000           50000            NP#2            0         6                
.
.
.