FortiGate 700G and 701G fast path architecture
The FortiGate 700G and 701G each include one NP7 processor and one CP10 processor. All front panel data interfaces and the NP7 processor connect to the integrated switch fabric (ISF). All data traffic passes from the data interfaces through the ISF to the NP7 processor. All supported traffic passing between any two data interfaces can be offloaded by the NP7 processor. Data traffic processed by the CPU takes a dedicated data path through the ISF and the NP7 processor to the CPU.
The FortiGate 700G and 701G models feature the following front panel interfaces:
- One 10/100/1000/2.5GBASE-T RJ45 (HA , not connected to the NP7 processor).
- One 10/100/1000BASE-T RJ45 (MGMT, not connected to the NP7 processor).
- Eight 5G/2.5G/1G/100M BASE-T RJ45 (WAN1, WAN2, LAN1 to LAN6).
- Sixteen 1 GigE SFP (LAN7 to LAN22).
- Four 10/1 GigE SFP+/SFP (X1 to X4) (X1 and X2 are FortiLink interfaces).
- Four 25/10 GigE SFP28/SFP+ (X5 to X8).
The MGMT interface is not connected to the NP7 processor. Management traffic passes to the CPU over a dedicated management path that is separate from the data path. You can also dedicate separate CPU resources for management traffic to further isolate management processing from data processing (see Improving GUI and CLI responsiveness (dedicated management CPU)).
The HA interface is also not connected to the NP7 processor. To help provide better HA stability and resiliency, HA traffic uses a dedicated physical control path that provides HA control traffic separation from data traffic processing.
The separation of management and HA traffic from data traffic keeps management and HA traffic from affecting the stability and performance of data traffic processing.
You can use the following command to display the FortiGate 700G or 701G NP7 configuration.
diagnose npu np7 port-list Front Panel Port: Name Max_speed(Mbps) Dflt_speed(Mbps) NP_group Switch_id SW_port_id SW_port_name -------- --------------- --------------- --------------- --------- ---------- ------------ wan1 5000 5000 NP#0 0 0 19 ge17 wan2 5000 5000 NP#0 0 0 18 ge16 lan1 5000 5000 NP#0 0 0 21 ge19 lan2 5000 5000 NP#0 0 0 20 ge18 lan3 5000 5000 NP#0 0 0 23 ge21 lan4 5000 5000 NP#0 0 0 22 ge20 lan5 5000 5000 NP#0 0 0 25 ge23 lan6 5000 5000 NP#0 0 0 24 ge22 lan7 1000 1000 NP#0 0 0 3 ge1 lan8 1000 1000 NP#0 0 0 5 ge3 lan9 1000 1000 NP#0 0 0 4 ge2 lan10 1000 1000 NP#0 0 0 2 ge0 lan11 1000 1000 NP#0 0 0 9 ge7 lan12 1000 1000 NP#0 0 0 8 ge6 lan13 1000 1000 NP#0 0 0 7 ge5 lan14 1000 1000 NP#0 0 0 6 ge4 lan15 1000 1000 NP#0 0 0 11 ge9 lan16 1000 1000 NP#0 0 0 13 ge11 lan17 1000 1000 NP#0 0 0 12 ge10 lan18 1000 1000 NP#0 0 0 10 ge8 lan19 1000 1000 NP#0 0 0 17 ge15 lan20 1000 1000 NP#0 0 0 16 ge14 lan21 1000 1000 NP#0 0 0 15 ge13 lan22 1000 1000 NP#0 0 0 14 ge12 x1 10000 10000 NP#0 0 0 38 xe4 x2 10000 10000 NP#0 0 0 39 xe5 x3 10000 10000 NP#0 0 0 40 xe6 x4 10000 10000 NP#0 0 0 41 xe7 x5 25000 10000 NP#0 0 0 34 xe0 x6 25000 10000 NP#0 0 0 35 xe1 x7 25000 10000 NP#0 0 0 36 xe2 x8 25000 10000 NP#0 0 0 37 xe3 -------- --------------- --------------- --------------- --------- ---------- ------------ NP Port: Name Switch_id SW_port_id SW_port_name ------ --------- ---------- ------------ np0_0 0 30 ce1 np0_1 0 26 ce0 ------ --------- ---------- ------------ * Max_speed: Maximum speed, Dflt_speed: Default speed * SW_port_id: Switch port ID, SW_port_name: Switch port name
The command output also shows the maximum speed, default speed, and NP group for each interface.
The NP7 processor has a bandwidth capacity of 200 Gigabits. You can see from the command output that if all interfaces were operating at their maximum bandwidth the NP7 processor would not be able to offload all the traffic.
Configuring FortiGate 700G and 701G NPU port mapping
You can use the following command to configure FortiGate-700G and 701G NPU port mapping:
config system npu-post
config port-npu-map
edit <interface-name>
set npu-group {All-NP | NP0-link0 | NP0-link1}
end
end
end
You can use port mapping to assign data interfaces or LAGs to send traffic to selected NP7 processor links.
<interface-name> can be a physical interface or a LAG.
All-NP, (the default) distribute sessions to the LAG connected to NP0.
NP0-link0, send sessions to NP0 link 0.
NP0-link1, send sessions to NP0 link 1.
NP0-link0 NP0-link1, send sessions to both NP0 link 0 and NP0 link 1.
For example, use the following syntax to assign the FortiGate-700G front panel X5 interface to NP0-link0 and X6 interface to NP0-link 1. The resulting configuration splits traffic from the X5 and X6 interfaces between the two NP7 links:
config system npu-post
config port-npu-map
edit x5
set npu-group NP0-link0
next
edit x6
set npu-group NP0-link1
end
end
While the FortiGate-700G or 701G is processing traffic, you can use the diagnose npu np7 cgmac-stats <npu-id> command to show how traffic is distributed to the NP7 links.
You can use the diagnose npu np7 port-list command to see the current NPU port map configuration. For example, after making the changes described in the example, the output of the diagnose npu np7 port-list command shows different Sw_Trunk_Ids for X5 and X6 and these interfaces are listed in a port mapping summary at the bottom of the command output.