FortiGate 3400E and 3401E fast path architecture
The FortiGate 3400E and 3401E each include six NP6 processors (NP6_0 to NP6_5). All front panel data interfaces and all of the NP6 processors connect to the integrated switch fabric (ISF). All data traffic passes from the data interfaces through the ISF to the NP6 processors. Because of the ISF, all supported traffic passing between any two data interfaces can be offloaded by the NP6 processors. No special mapping is required for fast path offloading or aggregate interfaces. Data traffic processed by the CPU takes a dedicated data path through the ISF and an NP6 processor to the CPU.
The FortiGate 3400E and 3401E models feature the following front panel interfaces:
- Two 10/100/1000BASE-T Copper (MGMT1 and MGMT2).
- Two 10/25 GigE SFP+/SFP28 (HA1 and HA2, not connected to the NP6 processors).
- Twenty-two 10/25 GigE SFP+/SFP28 (1 to 22), interface groups: HA1 - HA2 - 1 - 2, 3 - 6, 7 - 10, 11 - 14, 15 - 18, and 19 - 22.
- Four 100 GigE QSFP28 (23 to 26).
The FortiGate-3400 and 3401 do not support auto-negotiation when setting interface speeds. Always set a specific interface speed. For example: config system interface edit port23 set speed {40000full | 100Gfull} end |
The MGMT interfaces are not connected to the NP6 processors. Management traffic passes to the CPU over a dedicated management path that is separate from the data path. You can also dedicate separate CPU resources for management traffic to further isolate management processing from data processing (see Improving GUI and CLI responsiveness (dedicated management CPU)).
The HA interfaces are also not connected to the NP6 processors. To help provide better HA stability and resiliency, the HA traffic uses a dedicated physical control path that provides HA control traffic separation from data traffic processing.
The separation of management and HA traffic from data traffic keeps management and HA traffic from affecting the stability and performance of data traffic processing.
You can use the following get command to display the FortiGate 3400E or 3401E NP6 configuration. You can also use the diagnose npu np6 port-list
command to display this information.
get hardware npu np6 port-list Chip XAUI Ports Max Cross-chip Speed offloading -------------------- ---- ------ ------- ---------- NP#0-5 0-3 port1 25000M Yes NP#0-5 0-3 port2 25000M Yes NP#0-5 0-3 port3 25000M Yes NP#0-5 0-3 port4 25000M Yes NP#0-5 0-3 port5 25000M Yes NP#0-5 0-3 port6 25000M Yes NP#0-5 0-3 port7 25000M Yes NP#0-5 0-3 port8 25000M Yes NP#0-5 0-3 port9 25000M Yes NP#0-5 0-3 port10 25000M Yes NP#0-5 0-3 port11 25000M Yes NP#0-5 0-3 port12 25000M Yes NP#0-5 0-3 port13 25000M Yes NP#0-5 0-3 port14 25000M Yes NP#0-5 0-3 port15 25000M Yes NP#0-5 0-3 port16 25000M Yes NP#0-5 0-3 port17 25000M Yes NP#0-5 0-3 port18 25000M Yes NP#0-5 0-3 port19 25000M Yes NP#0-5 0-3 port20 25000M Yes NP#0-5 0-3 port21 25000M Yes NP#0-5 0-3 port22 25000M Yes NP#0-5 0-3 port23 100000M Yes NP#0-5 0-3 port24 100000M Yes NP#0-5 0-3 port25 100000M Yes NP#0-5 0-3 port26 100000M Yes -------------------- ---- ------ ------- ----------
Interface groups and changing data interface speeds
FortiGate-3400E and 3401E front panel interfaces HA1, HA2, and 1 to 22 are divided into the following groups:
- ha1 - ha2 - port1 - port2
- port3 - port6
- port7 - port10
- port11 - port14
- port15 - port18
- port19 - port22
All of the interfaces in a group operate at the same speed. Changing the speed of an interface changes the speeds of all of the interfaces in the same group. For example, if you change the speed of port12 from 25Gbps to 10Gbps the speeds of port11 to port14 are also changed to 10Gbps.
Another example, port15 to port22 are operating at 25Gbps. If you want to install 10GigE transceivers in port15 to port22 to convert all of these data interfaces to connect to 10Gbps networks, you can enter the following from the CLI:
config system interface
edit port15
set speed 10000full
next
edit port19
set speed 10000full
end
Every time you change a data interface speed, when you enter the end
command, the CLI confirms the range of interfaces affected by the change. For example, if you change the speed of port19 the following message appears:
config system interface
edit port19
set speed 10000full
end
port19-port22 speed will be changed to 10000full due to hardware limit.
Do you want to continue? (y/n)