Fortinet white logo
Fortinet white logo

Hardware Acceleration

FortiGate 3400E and 3401E fast path architecture

FortiGate 3400E and 3401E fast path architecture

The FortiGate 3400E and 3401E each include six NP6 processors (NP6_0 to NP6_5). All front panel data interfaces and all of the NP6 processors connect to the integrated switch fabric (ISF). All data traffic passes from the data interfaces through the ISF to the NP6 processors. Because of the ISF, all supported traffic passing between any two data interfaces can be offloaded by the NP6 processors. No special mapping is required for fast path offloading or aggregate interfaces. Data traffic processed by the CPU takes a dedicated data path through the ISF and an NP6 processor to the CPU.

The FortiGate 3400E and 3401E models feature the following front panel interfaces:

  • Two 10/100/1000BASE-T Copper (MGMT1 and MGMT2).
  • Two 10/25 GigE SFP+/SFP28 (HA1 and HA2, not connected to the NP6 processors).
  • Twenty-two 10/25 GigE SFP+/SFP28 (1 to 22), interface groups: HA1 - HA2 - 1 - 2, 3 - 6, 7 - 10, 11 - 14, 15 - 18, and 19 - 22.
  • Four 100 GigE QSFP28 (23 to 26).
Note

The FortiGate-3400 and 3401 do not support auto-negotiation when setting interface speeds. Always set a specific interface speed. For example:

config system interface

edit port23

set speed {40000full | 100Gfull}

end

The MGMT interfaces are not connected to the NP6 processors. Management traffic passes to the CPU over a dedicated management path that is separate from the data path. You can also dedicate separate CPU resources for management traffic to further isolate management processing from data processing (see Improving GUI and CLI responsiveness (dedicated management CPU)).

The HA interfaces are also not connected to the NP6 processors. To help provide better HA stability and resiliency, the HA traffic uses a dedicated physical control path that provides HA control traffic separation from data traffic processing.

The separation of management and HA traffic from data traffic keeps management and HA traffic from affecting the stability and performance of data traffic processing.

You can use the following get command to display the FortiGate 3400E or 3401E NP6 configuration. You can also use the diagnose npu np6 port-list command to display this information.

get hardware npu np6 port-list
Chip                  XAUI Ports   Max     Cross-chip
                                   Speed   offloading
--------------------  ---- ------  ------- ----------
NP#0-5                0-3  port1   25000M  Yes
NP#0-5                0-3  port2   25000M  Yes
NP#0-5                0-3  port3   25000M  Yes
NP#0-5                0-3  port4   25000M  Yes
NP#0-5                0-3  port5   25000M  Yes
NP#0-5                0-3  port6   25000M  Yes
NP#0-5                0-3  port7   25000M  Yes
NP#0-5                0-3  port8   25000M  Yes
NP#0-5                0-3  port9   25000M  Yes
NP#0-5                0-3  port10  25000M  Yes
NP#0-5                0-3  port11  25000M  Yes
NP#0-5                0-3  port12  25000M  Yes
NP#0-5                0-3  port13  25000M  Yes
NP#0-5                0-3  port14  25000M  Yes
NP#0-5                0-3  port15  25000M  Yes
NP#0-5                0-3  port16  25000M  Yes
NP#0-5                0-3  port17  25000M  Yes
NP#0-5                0-3  port18  25000M  Yes
NP#0-5                0-3  port19  25000M  Yes
NP#0-5                0-3  port20  25000M  Yes
NP#0-5                0-3  port21  25000M  Yes
NP#0-5                0-3  port22  25000M  Yes
NP#0-5                0-3  port23  100000M Yes
NP#0-5                0-3  port24  100000M Yes
NP#0-5                0-3  port25  100000M Yes
NP#0-5                0-3  port26  100000M Yes
--------------------  ---- ------  ------- ----------

Interface groups and changing data interface speeds

FortiGate-3400E and 3401E front panel interfaces HA1, HA2, and 1 to 22 are divided into the following groups:

  • ha1 - ha2 - port1 - port2
  • port3 - port6
  • port7 - port10
  • port11 - port14
  • port15 - port18
  • port19 - port22

All of the interfaces in a group operate at the same speed. Changing the speed of an interface changes the speeds of all of the interfaces in the same group. For example, if you change the speed of port12 from 25Gbps to 10Gbps the speeds of port11 to port14 are also changed to 10Gbps.

Another example, port15 to port22 are operating at 25Gbps. If you want to install 10GigE transceivers in port15 to port22 to convert all of these data interfaces to connect to 10Gbps networks, you can enter the following from the CLI:

config system interface

edit port15

set speed 10000full

next

edit port19

set speed 10000full

end

Every time you change a data interface speed, when you enter the end command, the CLI confirms the range of interfaces affected by the change. For example, if you change the speed of port19 the following message appears:

config system interface

edit port19

set speed 10000full

end

port19-port22 speed will be changed to 10000full due to hardware limit.

Do you want to continue? (y/n)

FortiGate 3400E and 3401E fast path architecture

FortiGate 3400E and 3401E fast path architecture

The FortiGate 3400E and 3401E each include six NP6 processors (NP6_0 to NP6_5). All front panel data interfaces and all of the NP6 processors connect to the integrated switch fabric (ISF). All data traffic passes from the data interfaces through the ISF to the NP6 processors. Because of the ISF, all supported traffic passing between any two data interfaces can be offloaded by the NP6 processors. No special mapping is required for fast path offloading or aggregate interfaces. Data traffic processed by the CPU takes a dedicated data path through the ISF and an NP6 processor to the CPU.

The FortiGate 3400E and 3401E models feature the following front panel interfaces:

  • Two 10/100/1000BASE-T Copper (MGMT1 and MGMT2).
  • Two 10/25 GigE SFP+/SFP28 (HA1 and HA2, not connected to the NP6 processors).
  • Twenty-two 10/25 GigE SFP+/SFP28 (1 to 22), interface groups: HA1 - HA2 - 1 - 2, 3 - 6, 7 - 10, 11 - 14, 15 - 18, and 19 - 22.
  • Four 100 GigE QSFP28 (23 to 26).
Note

The FortiGate-3400 and 3401 do not support auto-negotiation when setting interface speeds. Always set a specific interface speed. For example:

config system interface

edit port23

set speed {40000full | 100Gfull}

end

The MGMT interfaces are not connected to the NP6 processors. Management traffic passes to the CPU over a dedicated management path that is separate from the data path. You can also dedicate separate CPU resources for management traffic to further isolate management processing from data processing (see Improving GUI and CLI responsiveness (dedicated management CPU)).

The HA interfaces are also not connected to the NP6 processors. To help provide better HA stability and resiliency, the HA traffic uses a dedicated physical control path that provides HA control traffic separation from data traffic processing.

The separation of management and HA traffic from data traffic keeps management and HA traffic from affecting the stability and performance of data traffic processing.

You can use the following get command to display the FortiGate 3400E or 3401E NP6 configuration. You can also use the diagnose npu np6 port-list command to display this information.

get hardware npu np6 port-list
Chip                  XAUI Ports   Max     Cross-chip
                                   Speed   offloading
--------------------  ---- ------  ------- ----------
NP#0-5                0-3  port1   25000M  Yes
NP#0-5                0-3  port2   25000M  Yes
NP#0-5                0-3  port3   25000M  Yes
NP#0-5                0-3  port4   25000M  Yes
NP#0-5                0-3  port5   25000M  Yes
NP#0-5                0-3  port6   25000M  Yes
NP#0-5                0-3  port7   25000M  Yes
NP#0-5                0-3  port8   25000M  Yes
NP#0-5                0-3  port9   25000M  Yes
NP#0-5                0-3  port10  25000M  Yes
NP#0-5                0-3  port11  25000M  Yes
NP#0-5                0-3  port12  25000M  Yes
NP#0-5                0-3  port13  25000M  Yes
NP#0-5                0-3  port14  25000M  Yes
NP#0-5                0-3  port15  25000M  Yes
NP#0-5                0-3  port16  25000M  Yes
NP#0-5                0-3  port17  25000M  Yes
NP#0-5                0-3  port18  25000M  Yes
NP#0-5                0-3  port19  25000M  Yes
NP#0-5                0-3  port20  25000M  Yes
NP#0-5                0-3  port21  25000M  Yes
NP#0-5                0-3  port22  25000M  Yes
NP#0-5                0-3  port23  100000M Yes
NP#0-5                0-3  port24  100000M Yes
NP#0-5                0-3  port25  100000M Yes
NP#0-5                0-3  port26  100000M Yes
--------------------  ---- ------  ------- ----------

Interface groups and changing data interface speeds

FortiGate-3400E and 3401E front panel interfaces HA1, HA2, and 1 to 22 are divided into the following groups:

  • ha1 - ha2 - port1 - port2
  • port3 - port6
  • port7 - port10
  • port11 - port14
  • port15 - port18
  • port19 - port22

All of the interfaces in a group operate at the same speed. Changing the speed of an interface changes the speeds of all of the interfaces in the same group. For example, if you change the speed of port12 from 25Gbps to 10Gbps the speeds of port11 to port14 are also changed to 10Gbps.

Another example, port15 to port22 are operating at 25Gbps. If you want to install 10GigE transceivers in port15 to port22 to convert all of these data interfaces to connect to 10Gbps networks, you can enter the following from the CLI:

config system interface

edit port15

set speed 10000full

next

edit port19

set speed 10000full

end

Every time you change a data interface speed, when you enter the end command, the CLI confirms the range of interfaces affected by the change. For example, if you change the speed of port19 the following message appears:

config system interface

edit port19

set speed 10000full

end

port19-port22 speed will be changed to 10000full due to hardware limit.

Do you want to continue? (y/n)