FortiGate 6000F series
The FortiGate 6000F series is a collection of 3U 19-inch rackmount appliances that include twenty-four 1/10/25GigE SFP28 and four 40/100GigE QSFP28 data network interfaces, as well as NP6 and CP9 processors to deliver high IPS/threat prevention performance.
Currently, the following FortiGate 6000F series models are available:
- FortiGate 6500F and FortiGate 6500F-DC
- FortiGate 6501F and FortiGate 6501F-DC
- FortiGate 6300F and FortiGate 6300F-DC
- FortiGate 6301F and FortiGate 6301F-DC
- FortiGate 6001F and FortiGate 6001F-DC
All FortiGate 6000F series models have the same front and back panel configuration including the same network interfaces. The differences are the processing capacity of the individual models. All FortiGate 6000F series models include a management board (MBD) and internal Fortinet Processor Cards (FPCs) that contain NP6 and CP9 security processors. The management board handles management tasks, separating management tasks from data processing tasks that are handled by the FPCs. The FortiGate 6000F series uses session-aware load balancing to distribute sessions to the FPCs. The FortiGate-6500F includes ten FPCs and the FortiGate-6300F includes six FPCs.
The FortiGate 6001F includes a total of ten FPCs, by default three of them are active. To increase throughput you can purchase perpetual or subscription licenses for each of the additional seven FPCs for a total of ten.
Also the FortiGate 6001F, FortiGate 6301F, or FortiGate 6501F models include two internal 1 TByte log disks in a RAID-1 configuration.
All of these models have the same hardware architecture. FortiGate 6000F models have separate data and management planes. The data plane handles all traffic and security processing functionality. The management plane handles management functions such as administrator logins, configuration and session synchronization, SNMP and other monitoring, HA heartbeat communication, and remote and (if supported) local disk logging. Separating these two planes means that resources used for traffic and security processing are not compromised by management activities.
FortiGate-6000 schematic
In the data plane, two DP3 load balancers use session-aware load balancing to distribute sessions from the front panel interfaces (port1 to 28) to Fortinet Processor Cards (FPCs). The DP3 processors communicate with the FPCs across the 3.2Tbps integrated switch fabric. Each FPC processes sessions load balanced to it. The FPCs send outgoing sessions back to the integrated switch fabric and then out the network interfaces to their destinations.
The NP6 processor in each FPC enhances network performance with fastpath acceleration that offloads communication sessions from the FPC CPU. The NP6 processor can also handle some CPU intensive tasks, like IPsec VPN encryption/decryption. The NP6 processor in each FPC connects to the integrated switch fabric over four XAUI ports.
The CP9 processors in each FPC accelerate many common resource intensive security related processes such as SSL VPN, Antivirus, Application Control, and IPS.
The management plane includes the management board, base backplane, management interfaces, and HA heartbeat interfaces. Configuration and session synchronization between FPCs in a FortiGate 6000F occurs over the base backplane. In an HA configuration, configuration and session synchronization between the FortiGate-6000s in the cluster takes place over the HA1 and HA2 interfaces. Administrator logins, SNMP monitoring, remote logging to one or more FortiAnalyzers or syslog servers, and other management functions use the MGMT1, MGMT2, and MGMT3 interfaces. You can use the 10Gbps MGMT3 interface for additional bandwidth that might be useful for high bandwidth activities such as remote logging.
All FortiGate-6000 models have the following front panel interfaces:
- Twenty-four 1/10/25GigE SFP28 data network interfaces (1 to 24). The default speed of these interfaces is 10Gbps. These interfaces are divided into the following interface groups: 1 - 4, 5 - 8, 9 - 12, 13 - 16, 17 - 20, and 21 - 24.
- Four 40/100GigE QSFP28 data network interfaces (25 to 28). The default speed of these interfaces is 40Gbps.
- Two 1/10GigE SFP+ HA interfaces (HA1 and HA2). The default speed of these interfaces is 10Gbps.
- Two 10/100/1000BASE-T out of band management Ethernet interfaces (MGMT1 and MGMT2).
- One 1/10GigE SFP+ out of band management interface (MGMT3).
From the management board, you can use the diagnose npu np6 port-list command to display the FortiGate-6000F NP6 configuration. The command output shows the NP6 configuration for all of the FPCs. You can see the same information for individual FPCs by logging into each FPC (for example by using the execute system console-server connect <slot-number> command) and using the same diagnose command or the get hardware npu np6 port-list command.
As shown in the example below for the FPC in slot 1, all of the FortiGate 6000F front panel interfaces and the fabric backplane (elbc-ctrl) connect to the NP6 processor in each FPC.
FortiGate-6000F [FPC01] (global) $ diagnose npu np6 port-list
Chip XAUI Ports Max Cross-chip
Speed offloading
-------------------- ---- ------ ------- ----------
all 0-3 elbc-ctrl/110G Yes
all 0-3 port1 25G Yes
all 0-3 port2 25G Yes
all 0-3 port3 25G Yes
all 0-3 port4 25G Yes
all 0-3 port5 25G Yes
all 0-3 port6 25G Yes
all 0-3 port7 25G Yes
all 0-3 port8 25G Yes
all 0-3 port9 25G Yes
all 0-3 port10 25G Yes
all 0-3 port11 25G Yes
all 0-3 port12 25G Yes
all 0-3 port13 25G Yes
all 0-3 port14 25G Yes
all 0-3 port15 25G Yes
all 0-3 port16 25G Yes
all 0-3 port17 25G Yes
all 0-3 port18 25G Yes
all 0-3 port19 25G Yes
all 0-3 port20 25G Yes
all 0-3 port21 25G Yes
all 0-3 port22 25G Yes
all 0-3 port23 25G Yes
all 0-3 port24 25G Yes
all 0-3 port25 100G Yes
all 0-3 port26 100G Yes
all 0-3 port27 100G Yes
all 0-3 port28 100G Yes
-------------------- ---- ------ ------- ----------
Interface groups and changing data interface speeds
Depending on the networks that you want to connect your FortiGate 6000F to, you may have to manually change the data interface speeds. The port1 to port20 data interfaces are divided into the following groups:
- port1 - port4
- port5 - port8
- port9 - port12
- port13 - port16
- port17 - port20
- port21 - port24
All of the interfaces in a group operate at the same speed. Changing the speed of an interface changes the speeds of all of the interfaces in the same group. For example, if you change the speed of port18 from 10Gbps to 25Gbps the speeds of port17 to port20 are also changed to 25Gbps.
The port25 to port28 interfaces are not part of an interface group. You can set the speed of each of these interfaces independently of the other three.
Another example, the default speed of the port1 to port24 interfaces is 10Gbps. If you want to install 25GigE transceivers in port1 to port24 to convert these data interfaces to connect to 25Gbps networks, you must enter the following from the CLI:
config system interface
edit port1
set speed 25000full
next
edit port5
set speed 25000full
next
edit port9
set speed 25000full
next
edit port13
set speed 25000full
next
edit port17
set speed 25000full
next
edit port21
set speed 25000full
end
Every time you change a data interface speed, when you enter the end command, the CLI confirms the range of interfaces affected by the change. For example, if you change the speed of port5 the following message appears:
config system interface
edit port5
set speed 25000full
end
port5-port8 speed will be changed to 25000full due to hardware limit.
Do you want to continue? (y/n)