Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Hardware Acceleration

    Home FortiGate / FortiOS 7.2.3 Hardware Acceleration
    7.2.3
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.1
    7.0.0
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.6
    6.4.5
    6.2.16
    6.2.15
    6.2.14
    6.2.13
    6.2.12
    6.2.9
    6.2.7
    6.0.18
    6.0.17
    6.0.16
    6.0.15
    6.0.14
    5.6.0

    FortiGate 2500E fast path architecture

    FortiGate 2500E fast path architecture

    The FortiGate 2500E features the following front panel interfaces:

    • Two 10/100/1000BASE-T Copper (MGMT1 and MGMT2, not connected to the NP6 processors)
    • Thirty-two 10/100/1000BASE-T interfaces (1 to 32)
    • Four 10GigE SFP+ interfaces (33 to 36)
    • Four 10GigE SFP+ interfaces (37 to 40)
    • Two 10GigE SFP+ interfaces (41 and 42)
    • Two 10 Gig LC fiber bypass interfaces (43 and 44)

    The FortiGate 2500E includes four NP6 processors in an NP Direct configuration. The NP6 processors connected to the 10GigE ports are also in a low latency NP Direct configuration.

    The NP6s are connected to network interfaces as follows:

    • NP6_0 is connected to four 10GigE SFP+ interfaces (port37 to port40) in a low latency configuration.
    • NP6_1 is connected to thirty-two 10/100/1000BASE-T interfaces (port1 to port32).
    • NP6_2 is connected to two 10GigE SFP+ interfaces (port41 and port42) and two 10 Gig LC fiber bypass interfaces (port43 and port44) in a low latency configuration.
    • NP6_3 is connected to four 10GigE SFP+ interfaces (port33 to port36) in a low latency configuration.

    As a result of the NP Direct configuration, traffic will only be offloaded if it enters and exits the FortiGate-2500E on interfaces connected to the same NP6 processor.

    The following diagram also shows the XAUI and QSGMII port connections between the NP6 processors and the front panel interfaces and the aggregate switch for the thirty-two 10/100/1000BASE-T interfaces.

    All data traffic passes from the data interfaces to the NP6 processors. Data traffic processed by the CPU takes a dedicated data path through the ISF and an NP6 processor to the CPU.

    The MGMT interfaces are not connected to the NP6 processors. Management traffic passes to the CPU over a dedicated management path that is separate from the data paths. You can also dedicate separate CPU resources for management traffic to further isolate management processing from data processing (see Improving GUI and CLI responsiveness (dedicated management CPU)). This separation of management traffic from data traffic keeps management traffic from interfering with the stability and performance of data traffic processing.

    You can use the following get command to display the FortiGate 2500E NP6 configuration. You can also use the diagnose npu np6 port-list command to display this information.

    get hardware npu np6 port-list 
Chip   XAUI Ports   Max   Cross-chip 
                    Speed offloading 
------ ---- ------- ----- ---------- 
np6_1  0    port1   1G    No
       0    port5   1G    No
       0    port9   1G    No
       0    port13  1G    No
       0    port17  1G    No
       0    port21  1G    No
       0    port25  1G    No
       0    port29  1G    No
       1    port2   1G    No
       1    port6   1G    No
       1    port10  1G    No
       1    port14  1G    No
       1    port18  1G    No
       1    port22  1G    No
       1    port26  1G    No
       1    port30  1G    No
       2    port3   1G    No
       2    port7   1G    No
       2    port11  1G    No
       2    port15  1G    No
       2    port19  1G    No
       2    port23  1G    No
       2    port27  1G    No
       2    port31  1G    No
       3    port4   1G    No
       3    port8   1G    No
       3    port12  1G    No
       3    port16  1G    No
       3    port20  1G    No
       3    port24  1G    No
       3    port28  1G    No
       3    port32  1G    No
------ ---- ------- ----- ---------- 
np6_0  0    port37  10G   No 
       1    port38  10G   No 
       2    port39  10G   No 
       3    port40  10G   No 
------ ---- ------- ----- ---------- 
np6_2  0    port43  10G   No 
       1    port44  10G   No 
       2    port41  10G   No 
       3    port42  10G   No 
------ ---- ------- ----- ---------- 
np6_3  0    port33  10G   No 
       1    port34  10G   No 
       2    port35  10G   No 
       3    port36  10G   No 
------ ---- ------- ----- ----------

    The FortiGate- 2500E supports creating LAGs that include interfaces connected to different NP6 processors. Because the FortiGate-2500E does not have an internal switch fabric, when you set up a LAG consisting of interfaces connected to different NP6 processors, interfaces connected to each NP6 processor are added to different interface groups in the LAG. One interface group becomes the active group and processes all traffic. The interfaces in the other group or groups become passive. No traffic is processed by interfaces in the passive group or groups unless all of the interfaces in the active group fail or become disconnected.

    Since only one NP6 processor can process traffic accepted by the LAG, creating a LAG with multuple NP6 processors does not improve performance in the same way as a in FortiGate with an internal switch fabric. However, other benefits of LAGs, such as redundancy, are supported.

    For details, see Increasing NP6 offloading capacity using link aggregation groups (LAGs).

    Bypass interfaces (port43 and port44)

    The FortiGate 2500E includes an internal optical bypass module between interfaces 43 and 44 that provides fail open support. On these two interfaces, LC connectors connect directly to internal short-range (SR) lasers. No transceivers are required. When the FortiGate- 2500E experiences a hardware failure or loses power, or when bypass mode is enabled, these interfaces operate in bypass mode. In bypass mode, interfaces 43 and 44 are optically shunted and all traffic can pass between them, bypassing the FortiOS firewall and the NP6_2 processor.

    Interfaces 43 and 44 use an internal short-range (SR) laser, so interfaces 43 and 44 only support SR multi-mode fiber. You cannot use LR or single-mode fiber connections with these interfaces.

    When the interfaces switch to bypass mode the FortiGate 2500E acts like an optical patch cable so if packets going through these interfaces use VLANs or other network extensions, the attached upstream or downstream network equipment must be configured for these features.

    The FortiGate 2500E will continue to operate in bypass mode until the failed FortiGate 2500E is replaced, power is restored, or bypass mode is disabled. If power is restored or bypass mode is disabled, the FortiGate 2500E resumes operating as a FortiGate device without interrupting traffic flow. Replacing a failed FortiGate 800D disrupts traffic as a technician physically replaces the failed FortiGate 800D with a new one.

    During normal operation, the bypass status (B/P) LED glows green. When bypass mode is enabled, this LED glows amber.

    Manually enabling bypass-mode

    You can manually enable bypass mode if the FortiGate 2500E is operating in transparent mode. You can also manually enable bypass mode for a VDOM if interfaces 43 and 44 are both connected to the same VDOM operating in transparent mode.

    Use the following command to enable bypass mode:

    execute bypass-mode enable

    This command changes the configuration, so bypass mode will still be enabled if the FortiGate-2500E restarts.

    You can use the following command to disable bypass mode:

    execute bypass-mode disable

    Configuring bypass settings

    You can use the following command to configure how bypass operates.

    config system bypass

    set bypass-watchdog {disable | enable}

    set poweroff-bypass {disable | enable}

    end

    bypass-watchdog enable to turn on bypass mode. When bypass mode is turned on, if the bypass watchdog detects a software or hardware failure, bypass mode will be activated.

    poweroff-bypass if enabled, traffic will be able to pass between the port43 and port44 interfaces if the FortiGate 2500E is powered off.

    Previous
    Next

    FortiGate 2500E fast path architecture

    FortiGate 2500E fast path architecture

    The FortiGate 2500E features the following front panel interfaces:

    • Two 10/100/1000BASE-T Copper (MGMT1 and MGMT2, not connected to the NP6 processors)
    • Thirty-two 10/100/1000BASE-T interfaces (1 to 32)
    • Four 10GigE SFP+ interfaces (33 to 36)
    • Four 10GigE SFP+ interfaces (37 to 40)
    • Two 10GigE SFP+ interfaces (41 and 42)
    • Two 10 Gig LC fiber bypass interfaces (43 and 44)

    The FortiGate 2500E includes four NP6 processors in an NP Direct configuration. The NP6 processors connected to the 10GigE ports are also in a low latency NP Direct configuration.

    The NP6s are connected to network interfaces as follows:

    • NP6_0 is connected to four 10GigE SFP+ interfaces (port37 to port40) in a low latency configuration.
    • NP6_1 is connected to thirty-two 10/100/1000BASE-T interfaces (port1 to port32).
    • NP6_2 is connected to two 10GigE SFP+ interfaces (port41 and port42) and two 10 Gig LC fiber bypass interfaces (port43 and port44) in a low latency configuration.
    • NP6_3 is connected to four 10GigE SFP+ interfaces (port33 to port36) in a low latency configuration.

    As a result of the NP Direct configuration, traffic will only be offloaded if it enters and exits the FortiGate-2500E on interfaces connected to the same NP6 processor.

    The following diagram also shows the XAUI and QSGMII port connections between the NP6 processors and the front panel interfaces and the aggregate switch for the thirty-two 10/100/1000BASE-T interfaces.

    All data traffic passes from the data interfaces to the NP6 processors. Data traffic processed by the CPU takes a dedicated data path through the ISF and an NP6 processor to the CPU.

    The MGMT interfaces are not connected to the NP6 processors. Management traffic passes to the CPU over a dedicated management path that is separate from the data paths. You can also dedicate separate CPU resources for management traffic to further isolate management processing from data processing (see Improving GUI and CLI responsiveness (dedicated management CPU)). This separation of management traffic from data traffic keeps management traffic from interfering with the stability and performance of data traffic processing.

    You can use the following get command to display the FortiGate 2500E NP6 configuration. You can also use the diagnose npu np6 port-list command to display this information.

    get hardware npu np6 port-list 
Chip   XAUI Ports   Max   Cross-chip 
                    Speed offloading 
------ ---- ------- ----- ---------- 
np6_1  0    port1   1G    No
       0    port5   1G    No
       0    port9   1G    No
       0    port13  1G    No
       0    port17  1G    No
       0    port21  1G    No
       0    port25  1G    No
       0    port29  1G    No
       1    port2   1G    No
       1    port6   1G    No
       1    port10  1G    No
       1    port14  1G    No
       1    port18  1G    No
       1    port22  1G    No
       1    port26  1G    No
       1    port30  1G    No
       2    port3   1G    No
       2    port7   1G    No
       2    port11  1G    No
       2    port15  1G    No
       2    port19  1G    No
       2    port23  1G    No
       2    port27  1G    No
       2    port31  1G    No
       3    port4   1G    No
       3    port8   1G    No
       3    port12  1G    No
       3    port16  1G    No
       3    port20  1G    No
       3    port24  1G    No
       3    port28  1G    No
       3    port32  1G    No
------ ---- ------- ----- ---------- 
np6_0  0    port37  10G   No 
       1    port38  10G   No 
       2    port39  10G   No 
       3    port40  10G   No 
------ ---- ------- ----- ---------- 
np6_2  0    port43  10G   No 
       1    port44  10G   No 
       2    port41  10G   No 
       3    port42  10G   No 
------ ---- ------- ----- ---------- 
np6_3  0    port33  10G   No 
       1    port34  10G   No 
       2    port35  10G   No 
       3    port36  10G   No 
------ ---- ------- ----- ----------

    The FortiGate- 2500E supports creating LAGs that include interfaces connected to different NP6 processors. Because the FortiGate-2500E does not have an internal switch fabric, when you set up a LAG consisting of interfaces connected to different NP6 processors, interfaces connected to each NP6 processor are added to different interface groups in the LAG. One interface group becomes the active group and processes all traffic. The interfaces in the other group or groups become passive. No traffic is processed by interfaces in the passive group or groups unless all of the interfaces in the active group fail or become disconnected.

    Since only one NP6 processor can process traffic accepted by the LAG, creating a LAG with multuple NP6 processors does not improve performance in the same way as a in FortiGate with an internal switch fabric. However, other benefits of LAGs, such as redundancy, are supported.

    For details, see Increasing NP6 offloading capacity using link aggregation groups (LAGs).

    Bypass interfaces (port43 and port44)

    The FortiGate 2500E includes an internal optical bypass module between interfaces 43 and 44 that provides fail open support. On these two interfaces, LC connectors connect directly to internal short-range (SR) lasers. No transceivers are required. When the FortiGate- 2500E experiences a hardware failure or loses power, or when bypass mode is enabled, these interfaces operate in bypass mode. In bypass mode, interfaces 43 and 44 are optically shunted and all traffic can pass between them, bypassing the FortiOS firewall and the NP6_2 processor.

    Interfaces 43 and 44 use an internal short-range (SR) laser, so interfaces 43 and 44 only support SR multi-mode fiber. You cannot use LR or single-mode fiber connections with these interfaces.

    When the interfaces switch to bypass mode the FortiGate 2500E acts like an optical patch cable so if packets going through these interfaces use VLANs or other network extensions, the attached upstream or downstream network equipment must be configured for these features.

    The FortiGate 2500E will continue to operate in bypass mode until the failed FortiGate 2500E is replaced, power is restored, or bypass mode is disabled. If power is restored or bypass mode is disabled, the FortiGate 2500E resumes operating as a FortiGate device without interrupting traffic flow. Replacing a failed FortiGate 800D disrupts traffic as a technician physically replaces the failed FortiGate 800D with a new one.

    During normal operation, the bypass status (B/P) LED glows green. When bypass mode is enabled, this LED glows amber.

    Manually enabling bypass-mode

    You can manually enable bypass mode if the FortiGate 2500E is operating in transparent mode. You can also manually enable bypass mode for a VDOM if interfaces 43 and 44 are both connected to the same VDOM operating in transparent mode.

    Use the following command to enable bypass mode:

    execute bypass-mode enable

    This command changes the configuration, so bypass mode will still be enabled if the FortiGate-2500E restarts.

    You can use the following command to disable bypass mode:

    execute bypass-mode disable

    Configuring bypass settings

    You can use the following command to configure how bypass operates.

    config system bypass

    set bypass-watchdog {disable | enable}

    set poweroff-bypass {disable | enable}

    end

    bypass-watchdog enable to turn on bypass mode. When bypass mode is turned on, if the bypass watchdog detects a software or hardware failure, bypass mode will be activated.

    poweroff-bypass if enabled, traffic will be able to pass between the port43 and port44 interfaces if the FortiGate 2500E is powered off.

    Previous
    Next