Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

Hardware Acceleration

FortiGate 3600E and 3601E fast path architecture

The FortiGate 3600E and 3601E models feature the following front panel interfaces:

  • Two 10/100/1000BASE-T Copper (MGMT1 and MGMT2)
  • Two 10/25 GigE SFP+/SFP28 (HA1 and HA2, not connected to the NP6 processors)
  • Thirty 10/25 GigE SFP+/SFP28 (1 to 30) interface groups: HA1 - HA2 - 1 - 2, 3 - 6, 7 - 10, 11 - 14, 15 - 18, 19 - 22, 23 - 26, and 27 - 30
  • Six 100 GigE QSFP28 (31 to 36)
Note

The FortiGate-3600 and 3601 do not support auto-negotiation when setting interface speeds. Always set a specific interface speed. For example:

config system interface

edit port31

set speed {40000full | 100Gfull}

end

 

The FortiGate 3600E and 3601E each include six NP6 processors (NP6_0 to NP6_5). All front panel data interfaces and all of the NP6 processors connect to the integrated switch fabric (ISF). All data traffic passes from the data interfaces through the ISF to the NP6 processors. Because of the ISF, all supported traffic passing between any two data interfaces can be offloaded by the NP6 processors. No special mapping is required for fast path offloading or aggregate interfaces. Data traffic processed by the CPU takes a dedicated data path through the ISF and an NP6 processor to the CPU.

The MGMT interfaces are not connected to the NP6 processors. Management traffic passes to the CPU over a dedicated management path that is separate from the data path. You can also dedicate separate CPU resources for management traffic to further isolate management processing from data processing (see Dedicated management CPU).

The HA interfaces are also not connected to the NP6 processors. To help provide better HA stability and resiliency, the HA traffic uses a dedicated physical control path that provides HA control traffic separation from data traffic processing.

The separation of management and HA traffic from data traffic keeps management and HA traffic from affecting the stability and performance of data traffic processing.

You can use the following command to display the FortiGate 3600E or 3601E NP6 configuration. You can also use the diagnose npu np6 port-list command to display this information.

get hardware npu np6 port-list 
Chip                  XAUI Ports   Max     Cross-chip 
                                   Speed   offloading 
--------------------  ---- ------  ------- ---------- 
NP#0-5                0-3  port1   25000M  Yes 
NP#0-5                0-3  port2   25000M  Yes 
NP#0-5                0-3  port3   25000M  Yes 
NP#0-5                0-3  port4   25000M  Yes 
NP#0-5                0-3  port5   25000M  Yes 
NP#0-5                0-3  port6   25000M  Yes 
NP#0-5                0-3  port7   25000M  Yes 
NP#0-5                0-3  port8   25000M  Yes 
NP#0-5                0-3  port9   25000M  Yes 
NP#0-5                0-3  port10  25000M  Yes 
NP#0-5                0-3  port11  25000M  Yes 
NP#0-5                0-3  port12  25000M  Yes 
NP#0-5                0-3  port13  25000M  Yes 
NP#0-5                0-3  port14  25000M  Yes 
NP#0-5                0-3  port15  25000M  Yes 
NP#0-5                0-3  port16  25000M  Yes 
NP#0-5                0-3  port17  25000M  Yes 
NP#0-5                0-3  port18  25000M  Yes 
NP#0-5                0-3  port19  25000M  Yes 
NP#0-5                0-3  port20  25000M  Yes 
NP#0-5                0-3  port21  25000M  Yes 
NP#0-5                0-3  port22  25000M  Yes 
NP#0-5                0-3  port23  25000M  Yes 
NP#0-5                0-3  port24  25000M  Yes 
NP#0-5                0-3  port25  25000M  Yes 
NP#0-5                0-3  port26  25000M  Yes 
NP#0-5                0-3  port27  25000M  Yes 
NP#0-5                0-3  port28  25000M  Yes 
NP#0-5                0-3  port29  25000M  Yes 
NP#0-5                0-3  port30  25000M  Yes 
NP#0-5                0-3  port31  100000M Yes 
NP#0-5                0-3  port32  100000M Yes 
NP#0-5                0-3  port33  100000M Yes 
NP#0-5                0-3  port34  100000M Yes 
NP#0-5                0-3  port35  100000M Yes 
NP#0-5                0-3  port36  100000M Yes 
--------------------  ---- ------  ------- ---------- 

Interface groups and changing data interface speeds

FortiGate-3600E and 3601E front panel interfaces HA1, HA2, and 1 to 30 are divided into the following groups:

  • ha1 - ha2 - port1 - port2
  • port3 - port6
  • port7 - port10
  • port11 - port14
  • port15 - port18
  • port19 - port22
  • port23 - port26
  • port27 - port30

All of the interfaces in a group operate at the same speed. Changing the speed of an interface changes the speeds of all of the interfaces in the same group. For example, if you change the speed of port12 from 25Gbps to 10Gbps the speeds of port11 to port14 are also changed to 10Gbps.

Another example, port15 to port22 are operating at 25Gbps. If you want to install 10GigE transceivers in port15 to port22 to convert all of these data interfaces to connect to 10Gbps networks, you can enter the following from the CLI:

config system interface

edit port15

set speed 10000full

next

edit port19

set speed 10000full

end

Every time you change a data interface speed, when you enter the end command, the CLI confirms the range of interfaces affected by the change. For example, if you change the speed of port7 the following message appears:

config system interface

edit port7

set speed 10000full

end

port7-port10 speed will be changed to 10000full due to hardware limit.

Do you want to continue? (y/n)

FortiGate 3600E and 3601E fast path architecture

The FortiGate 3600E and 3601E models feature the following front panel interfaces:

  • Two 10/100/1000BASE-T Copper (MGMT1 and MGMT2)
  • Two 10/25 GigE SFP+/SFP28 (HA1 and HA2, not connected to the NP6 processors)
  • Thirty 10/25 GigE SFP+/SFP28 (1 to 30) interface groups: HA1 - HA2 - 1 - 2, 3 - 6, 7 - 10, 11 - 14, 15 - 18, 19 - 22, 23 - 26, and 27 - 30
  • Six 100 GigE QSFP28 (31 to 36)
Note

The FortiGate-3600 and 3601 do not support auto-negotiation when setting interface speeds. Always set a specific interface speed. For example:

config system interface

edit port31

set speed {40000full | 100Gfull}

end

 

The FortiGate 3600E and 3601E each include six NP6 processors (NP6_0 to NP6_5). All front panel data interfaces and all of the NP6 processors connect to the integrated switch fabric (ISF). All data traffic passes from the data interfaces through the ISF to the NP6 processors. Because of the ISF, all supported traffic passing between any two data interfaces can be offloaded by the NP6 processors. No special mapping is required for fast path offloading or aggregate interfaces. Data traffic processed by the CPU takes a dedicated data path through the ISF and an NP6 processor to the CPU.

The MGMT interfaces are not connected to the NP6 processors. Management traffic passes to the CPU over a dedicated management path that is separate from the data path. You can also dedicate separate CPU resources for management traffic to further isolate management processing from data processing (see Dedicated management CPU).

The HA interfaces are also not connected to the NP6 processors. To help provide better HA stability and resiliency, the HA traffic uses a dedicated physical control path that provides HA control traffic separation from data traffic processing.

The separation of management and HA traffic from data traffic keeps management and HA traffic from affecting the stability and performance of data traffic processing.

You can use the following command to display the FortiGate 3600E or 3601E NP6 configuration. You can also use the diagnose npu np6 port-list command to display this information.

get hardware npu np6 port-list 
Chip                  XAUI Ports   Max     Cross-chip 
                                   Speed   offloading 
--------------------  ---- ------  ------- ---------- 
NP#0-5                0-3  port1   25000M  Yes 
NP#0-5                0-3  port2   25000M  Yes 
NP#0-5                0-3  port3   25000M  Yes 
NP#0-5                0-3  port4   25000M  Yes 
NP#0-5                0-3  port5   25000M  Yes 
NP#0-5                0-3  port6   25000M  Yes 
NP#0-5                0-3  port7   25000M  Yes 
NP#0-5                0-3  port8   25000M  Yes 
NP#0-5                0-3  port9   25000M  Yes 
NP#0-5                0-3  port10  25000M  Yes 
NP#0-5                0-3  port11  25000M  Yes 
NP#0-5                0-3  port12  25000M  Yes 
NP#0-5                0-3  port13  25000M  Yes 
NP#0-5                0-3  port14  25000M  Yes 
NP#0-5                0-3  port15  25000M  Yes 
NP#0-5                0-3  port16  25000M  Yes 
NP#0-5                0-3  port17  25000M  Yes 
NP#0-5                0-3  port18  25000M  Yes 
NP#0-5                0-3  port19  25000M  Yes 
NP#0-5                0-3  port20  25000M  Yes 
NP#0-5                0-3  port21  25000M  Yes 
NP#0-5                0-3  port22  25000M  Yes 
NP#0-5                0-3  port23  25000M  Yes 
NP#0-5                0-3  port24  25000M  Yes 
NP#0-5                0-3  port25  25000M  Yes 
NP#0-5                0-3  port26  25000M  Yes 
NP#0-5                0-3  port27  25000M  Yes 
NP#0-5                0-3  port28  25000M  Yes 
NP#0-5                0-3  port29  25000M  Yes 
NP#0-5                0-3  port30  25000M  Yes 
NP#0-5                0-3  port31  100000M Yes 
NP#0-5                0-3  port32  100000M Yes 
NP#0-5                0-3  port33  100000M Yes 
NP#0-5                0-3  port34  100000M Yes 
NP#0-5                0-3  port35  100000M Yes 
NP#0-5                0-3  port36  100000M Yes 
--------------------  ---- ------  ------- ---------- 

Interface groups and changing data interface speeds

FortiGate-3600E and 3601E front panel interfaces HA1, HA2, and 1 to 30 are divided into the following groups:

  • ha1 - ha2 - port1 - port2
  • port3 - port6
  • port7 - port10
  • port11 - port14
  • port15 - port18
  • port19 - port22
  • port23 - port26
  • port27 - port30

All of the interfaces in a group operate at the same speed. Changing the speed of an interface changes the speeds of all of the interfaces in the same group. For example, if you change the speed of port12 from 25Gbps to 10Gbps the speeds of port11 to port14 are also changed to 10Gbps.

Another example, port15 to port22 are operating at 25Gbps. If you want to install 10GigE transceivers in port15 to port22 to convert all of these data interfaces to connect to 10Gbps networks, you can enter the following from the CLI:

config system interface

edit port15

set speed 10000full

next

edit port19

set speed 10000full

end

Every time you change a data interface speed, when you enter the end command, the CLI confirms the range of interfaces affected by the change. For example, if you change the speed of port7 the following message appears:

config system interface

edit port7

set speed 10000full

end

port7-port10 speed will be changed to 10000full due to hardware limit.

Do you want to continue? (y/n)