Fortinet black logo

Hardware Acceleration

FortiGate 2000E fast path architecture

FortiGate 2000E fast path architecture

The FortiGate 2000E features the following front panel interfaces:

  • Two 10/100/1000BASE-T Copper interfaces (MGMT1 and MGMT2, not connected to the NP6 processors)
  • Thirty-two 10/100/1000BASE-T interfaces (1 to 32)
  • Four 10GigE SFP+ interfaces (33 to 36)
  • Two 10GigE SFP+ (37 and 38)

The FortiGate 2000E includes three NP6 processors in an NP Direct configuration. The NP6 processors connected to the 10GigE ports are also in a low latency NP Direct configuration.

The NP6s are connected to network interfaces as follows:

  • NP6_0 is connected to 33 to 36 in a low latency configuration
  • NP6_1 is connected to 1 to 32
  • NP6_2 is connected to 37 and 38 in a low latency configuration

As a result of the NP Direct configuration, traffic will only be offloaded if it enters and exits the FortiGate-2000E on interfaces connected to the same NP6 processor.

The following diagram also shows the XAUI and QSGMII port connections between the NP6 processors and the front panel interfaces and the aggregate switch for the thirty-two 10/100/1000BASE-T interfaces.

All data traffic passes from the data interfaces to the NP6 processors. Data traffic processed by the CPU takes a dedicated data path through the ISF and an NP6 processor to the CPU.

The MGMT interfaces are not connected to the NP6 processors. Management traffic passes to the CPU over a dedicated management path that is separate from the data paths. You can also dedicate separate CPU resources for management traffic to further isolate management processing from data processing (see Improving GUI and CLI responsiveness (dedicated management CPU)). This separation of management traffic from data traffic keeps management traffic from interfering with the stability and performance of data traffic processing.

You can use the following get command to display the FortiGate 2000E NP6 configuration. You can also use the diagnose npu np6 port-list command to display this information.

get hardware npu np6 port-list 
Chip   XAUI Ports   Max   Cross-chip 
                    Speed offloading 
------ ---- ------- ----- ---------- 
np6_1  0    port1   1G    No
       0    port5   1G    No
       0    port9   1G    No
       0    port13  1G    No
       0    port17  1G    No
       0    port21  1G    No
       0    port25  1G    No
       0    port29  1G    No
       1    port2   1G    No
       1    port6   1G    No
       1    port10  1G    No
       1    port14  1G    No
       1    port18  1G    No
       1    port22  1G    No
       1    port26  1G    No
       1    port30  1G    No
       2    port3   1G    No
       2    port7   1G    No
       2    port11  1G    No
       2    port15  1G    No
       2    port19  1G    No
       2    port23  1G    No
       2    port27  1G    No
       2    port31  1G    No
       3    port4   1G    No
       3    port8   1G    No
       3    port12  1G    No
       3    port16  1G    No
       3    port20  1G    No
       3    port24  1G    No
       3    port28  1G    No
       3    port32  1G    No
------ ---- ------- ----- ---------- 
np6_0  0    port33  10G   No 
       1    port34  10G   No 
       2    port35  10G   No 
       3    port36  10G   No 
------ ---- ------- ----- ---------- 
np6_2  0    port37  10G   No 
       1    port38  10G   No 
------ ---- ------- ----- ---------- 

The FortiGate- 2000E supports creating LAGs that include interfaces connected to different NP6 processors. Because the FortiGate-2000E does not have an internal switch fabric, when you set up a LAG consisting of interfaces connected to different NP6 processors, interfaces connected to each NP6 processor are added to different interface groups in the LAG. One interface group becomes the active group and processes all traffic. The interfaces in the other group or groups become passive. No traffic is processed by interfaces in the passive group or groups unless all of the interfaces in the active group fail or become disconnected.

Since only one NP6 processor can process traffic accepted by the LAG, creating a LAG with multuple NP6 processors does not improve performance in the same way as a in FortiGate with an internal switch fabric. However, other benefits of LAGs, such as redundancy, are supported.

For details, see Increasing NP6 offloading capacity using link aggregation groups (LAGs).

FortiGate 2000E fast path architecture

The FortiGate 2000E features the following front panel interfaces:

  • Two 10/100/1000BASE-T Copper interfaces (MGMT1 and MGMT2, not connected to the NP6 processors)
  • Thirty-two 10/100/1000BASE-T interfaces (1 to 32)
  • Four 10GigE SFP+ interfaces (33 to 36)
  • Two 10GigE SFP+ (37 and 38)

The FortiGate 2000E includes three NP6 processors in an NP Direct configuration. The NP6 processors connected to the 10GigE ports are also in a low latency NP Direct configuration.

The NP6s are connected to network interfaces as follows:

  • NP6_0 is connected to 33 to 36 in a low latency configuration
  • NP6_1 is connected to 1 to 32
  • NP6_2 is connected to 37 and 38 in a low latency configuration

As a result of the NP Direct configuration, traffic will only be offloaded if it enters and exits the FortiGate-2000E on interfaces connected to the same NP6 processor.

The following diagram also shows the XAUI and QSGMII port connections between the NP6 processors and the front panel interfaces and the aggregate switch for the thirty-two 10/100/1000BASE-T interfaces.

All data traffic passes from the data interfaces to the NP6 processors. Data traffic processed by the CPU takes a dedicated data path through the ISF and an NP6 processor to the CPU.

The MGMT interfaces are not connected to the NP6 processors. Management traffic passes to the CPU over a dedicated management path that is separate from the data paths. You can also dedicate separate CPU resources for management traffic to further isolate management processing from data processing (see Improving GUI and CLI responsiveness (dedicated management CPU)). This separation of management traffic from data traffic keeps management traffic from interfering with the stability and performance of data traffic processing.

You can use the following get command to display the FortiGate 2000E NP6 configuration. You can also use the diagnose npu np6 port-list command to display this information.

get hardware npu np6 port-list 
Chip   XAUI Ports   Max   Cross-chip 
                    Speed offloading 
------ ---- ------- ----- ---------- 
np6_1  0    port1   1G    No
       0    port5   1G    No
       0    port9   1G    No
       0    port13  1G    No
       0    port17  1G    No
       0    port21  1G    No
       0    port25  1G    No
       0    port29  1G    No
       1    port2   1G    No
       1    port6   1G    No
       1    port10  1G    No
       1    port14  1G    No
       1    port18  1G    No
       1    port22  1G    No
       1    port26  1G    No
       1    port30  1G    No
       2    port3   1G    No
       2    port7   1G    No
       2    port11  1G    No
       2    port15  1G    No
       2    port19  1G    No
       2    port23  1G    No
       2    port27  1G    No
       2    port31  1G    No
       3    port4   1G    No
       3    port8   1G    No
       3    port12  1G    No
       3    port16  1G    No
       3    port20  1G    No
       3    port24  1G    No
       3    port28  1G    No
       3    port32  1G    No
------ ---- ------- ----- ---------- 
np6_0  0    port33  10G   No 
       1    port34  10G   No 
       2    port35  10G   No 
       3    port36  10G   No 
------ ---- ------- ----- ---------- 
np6_2  0    port37  10G   No 
       1    port38  10G   No 
------ ---- ------- ----- ---------- 

The FortiGate- 2000E supports creating LAGs that include interfaces connected to different NP6 processors. Because the FortiGate-2000E does not have an internal switch fabric, when you set up a LAG consisting of interfaces connected to different NP6 processors, interfaces connected to each NP6 processor are added to different interface groups in the LAG. One interface group becomes the active group and processes all traffic. The interfaces in the other group or groups become passive. No traffic is processed by interfaces in the passive group or groups unless all of the interfaces in the active group fail or become disconnected.

Since only one NP6 processor can process traffic accepted by the LAG, creating a LAG with multuple NP6 processors does not improve performance in the same way as a in FortiGate with an internal switch fabric. However, other benefits of LAGs, such as redundancy, are supported.

For details, see Increasing NP6 offloading capacity using link aggregation groups (LAGs).