Fortinet black logo

Hardware Acceleration

Home FortiGate / FortiOS 7.4.3 Hardware Acceleration
7.4.3
7.4.3
7.4.2
7.4.1
7.4.0
7.2.8
7.2.7
7.2.6
7.2.5
7.2.4
7.2.3
7.2.2
7.2.1
7.2.0
7.0.15
7.0.14
7.0.13
7.0.12
7.0.11
7.0.10
7.0.9
7.0.8
7.0.7
7.0.6
7.0.5
7.0.1
7.0.0
6.4.15
6.4.14
6.4.13
6.4.12
6.4.11
6.4.10
6.4.9
6.4.8
6.4.6
6.4.5
6.2.16
6.2.15
6.2.14
6.2.13
6.2.12
6.2.9
6.2.7
6.0.18
6.0.17
6.0.16
6.0.15
6.0.14
5.6.0

FortiGate 1800F and 1801F fast path architecture

FortiGate 1800F and 1801F fast path architecture

The FortiGate 1800F and 1801F each include one NP7 processor. All front panel data interfaces and the NP7 processor connect to the integrated switch fabric (ISF). All data traffic passes from the data interfaces through the ISF to the NP7 processor. All supported traffic passing between any two data interfaces can be offloaded by the NP7 processor. Data traffic processed by the CPU takes a dedicated data path through the ISF and the NP7 processor to the CPU.

Note

FortiOS 7.4.0 included a software update that allows the FortiGate 1800F and 1801F interfaces 37 to 40 to be configured as 40 GigE QSFP+ or 100 GigE QSFP28 interfaces. You can set the interface speed to 40000full (40G full-duplex) and install 40G QSFP+ transceivers in these interfaces and operate them as 40G interfaces. You can also set the interface speed to 100Gfull (100G full-duplex) and install 100G QSFP28 transceivers in these interfaces and operate them as 100G QSFP28 interfaces.

The FortiGate 1800F and 1801F feature the following front panel interfaces:

  • Two 1 GigE RJ45 (MGMT1 and MGMT2), not connected to the NP7 processor.
  • Two 10 GigE SFP+ (HA1 and HA2), not connected to the NP7 processor.
  • Sixteen 10/100/1000BASE-T RJ45 (1 to 16).
  • Eight 1 GigE SFP (17 to 24).
  • Twelve 25/10 GigE SFP28/SFP+ (25 to 36), interface groups: 25 - 28, 29 - 32, and 33 - 36.
  • Four 100/40 GigE QSFP28/QSFP+ (37 to 40). Each of these interfaces can be split into four 25/10/1 GigE SFP28 interfaces.

The MGMT interfaces are not connected to the NP7 processor. Management traffic passes to the CPU over a dedicated management path that is separate from the data path. You can also dedicate separate CPU resources for management traffic to further isolate management processing from data processing (see Improving GUI and CLI responsiveness (dedicated management CPU)).

The HA interfaces are also not connected to the NP7 processor. To help provide better HA stability and resiliency, HA traffic uses a dedicated physical control path that provides HA control traffic separation from data traffic processing.

The separation of management and HA traffic from data traffic keeps management and HA traffic from affecting the stability and performance of data traffic processing.

You can use the following command to display the FortiGate 1800F or 1801F NP7 configuration. The command output shows a single NP7 named NP#0 is connected to all interfaces. This interface to NP7 mapping is also shown in the diagram above. 

diagnose npu np7 port-list
Front Panel Port:
Name     Max_speed(Mbps) Dflt_speed(Mbps) NP_group        group_from_vdom Switch_id SW_port_id SW_port_name 
-------- --------------- ---------------  --------------- --------------- --------- ---------- ------------ 
port1    1000            1000             NP#0            0         3          ge1          
port2    1000            1000             NP#0            0         2          ge0          
port3    1000            1000             NP#0            0         5          ge3          
port4    1000            1000             NP#0            0         4          ge2          
port5    1000            1000             NP#0            0         7          ge5          
port6    1000            1000             NP#0            0         6          ge4          
port7    1000            1000             NP#0            0         9          ge7          
port8    1000            1000             NP#0            0         8          ge6          
port9    1000            1000             NP#0            0         11         ge9          
port10   1000            1000             NP#0            0         10         ge8          
port11   1000            1000             NP#0            0         13         ge11         
port12   1000            1000             NP#0            0         12         ge10         
port13   1000            1000             NP#0            0         15         ge13         
port14   1000            1000             NP#0            0         14         ge12         
port15   1000            1000             NP#0            0         17         ge15         
port16   1000            1000             NP#0            0         16         ge14         
port17   1000            1000             NP#0            0         18         ge16         
port18   1000            1000             NP#0            0         19         ge17         
port19   1000            1000             NP#0            0         20         ge18         
port20   1000            1000             NP#0            0         21         ge19         
port21   1000            1000             NP#0            0         22         ge20         
port22   1000            1000             NP#0            0         23         ge21         
port23   1000            1000             NP#0            0         24         ge22         
port24   1000            1000             NP#0            0         25         ge23         
port25   25000           10000            NP#0            1         15         xe14         
port26   25000           10000            NP#0            1         16         xe15         
port27   25000           10000            NP#0            1         13         xe12         
port28   25000           10000            NP#0            1         14         xe13         
port29   25000           10000            NP#0            1         19         xe18         
port30   25000           10000            NP#0            1         20         xe19         
port31   25000           10000            NP#0            1         17         xe16         
port32   25000           10000            NP#0            1         18         xe17         
port33   25000           10000            NP#0            1         23         xe22         
port34   25000           10000            NP#0            1         24         xe23         
port35   25000           10000            NP#0            1         21         xe20         
port36   25000           10000            NP#0            1         22         xe21         
port37   100000          100000           NP#0            1         29         xe25         
port38   100000          100000           NP#0            1         25         xe24         
port39   100000          100000           NP#0            1         33         xe26         
port40   100000          100000           NP#0            1         37         xe27         
-------- --------------- ---------------  --------------- --------------- --------- ---------- ------------ 

NP Port:
Name   Switch_id SW_port_id SW_port_name 
------ --------- ---------- ------------ 
np0_0  1         41         ce0          
np0_1  1         45         ce1          
------ --------- ---------- ------------ 
* Max_speed: Maximum speed, Dflt_speed: Default speed
* SW_port_id: Switch port ID, SW_port_name: Switch port name

The command output also shows the maximum speeds of each interface. Also, interfaces 1 to 24 are connected to one switch and interfaces 25 to 40 are connected to another switch. Both of these switches make up the internal switch fabric, which connects the interfaces to the NP7 processor, the CPU, and the four CP9 processors.

The NP7 processor has a bandwidth capacity of 200 Gigabits. You can see from the command output that if all interfaces were operating at their maximum bandwidth the NP7 processor would not be able to offload all the traffic.

The FortiGate-1800F and 1801F can be licensed for hyperscale firewall support, see the Hyperscale Firewall Guide.

Interface groups and changing data interface speed, media type, or FEC setting

FortiGate-1800F and 1801F front panel data interfaces 25 to 36 are divided into the following groups:

  • port25 - port28
  • port29 - port32
  • port33 - port36

All of the interfaces in a group operate at the same speed, must have the same media type, and the same forward error control (FEC) setting. Changing the speed, media type, or FEC setting of an interface changes all of the interfaces in the same group. For example, if you change the speed of port26 from 10Gbps to 25Gbps the speeds of port25 to port28 are also changed to 25Gbps.

Another example, the default speed of the port25 to port36 interfaces is 10Gbps. If you want to install 25GigE transceivers in port29 to port36 to convert all of these data interfaces to connect to 25Gbps networks, you can enter the following from the CLI:

config system interface

edit port29

set speed 25000full

next

edit port33

set speed 25000full

end

Every time you change a data interface speed, when you enter the end command, the CLI confirms the range of interfaces affected by the change. For example, if you change the speed of port29 the following message appears:

config system interface

edit port29

set speed 25000full

end

The speed/mediatype/FEC of port29/port30/port31/port32 will be changed from 10000full/sr/disable to 25000full/sr/cl91-rs-fec.

Do you want to continue? (y/n)

Splitting the port37 to port40 interfaces

You can use the following command to split each FortiGate 1800F and 1801F 37 to 40 (port37 to port40) 100/40 GigE QSFP28 interface into four 25/10/1 GigE SFP28 interfaces. For example, to split interfaces 37 and 39 (port37 and port39), enter the following command:

config system global

set split-port port37 port39

end

The FortiGate 1800F and 1801F restarts and when it starts up:

  • The port37 interface has been replaced by four SFP28 interfaces named port37/1 to port37/4.

  • The port39 interface has been replaced by four SFP28 interfaces named port37/1 to port37/4.

Note

A configuration change that causes a FortiGate to restart can disrupt the operation of an FGCP cluster. If possible, you should make this configuration change to the individual FortiGates before setting up the cluster. If the cluster is already operating, you should temporarily remove the secondary FortiGate(s) from the cluster, change the configuration of the individual FortiGates and then re-form the cluster. You can remove FortiGate(s) from a cluster using the Remove Device from HA cluster button on the System > HA GUI page. For more information, see Disconnecting a FortiGate.

By default, the speed of each split interface is set to 10000full (10GigE). These interfaces can operate as 25GigE, 10GigE, or 1GigE interfaces depending on the transceivers and breakout cables. You can use the config system interface command to change the speeds of the split interfaces.

If you set the speed of one of the split interfaces to 25000full (25GigE), all of the interfaces are changed to operate at this speed (no restart required). If the split interfaces are set to 25000full and you change the speed of one of them to 10000full (10GigE) they are all changed to 10000full (no restart required). When the interfaces are operating at 10000full, you can change the speeds of individual interfaces to operate at 1000full (1GigE).

Configuring NPU port mapping

You can use the following command to configure FortiGate-1800F and 1801F NPU port mapping:

config system npu

config port-npu-map

edit <interface-name>

set npu-group-index <index>

end

You can use the port map to assign data interfaces to NP7 links.

Each NP7 has two 100-Gigabit KR links, numbered 0 and 1. Traffic passes to the NP7 over these links. By default the two links operate as a LAG that distributes sessions to the NP7 processor. You can configure the NPU port map to assign interfaces to use one or the other of the NP7 links instead of sending sessions over the LAG.

<index> varies depending on the NP7 processors available in your FortiGate.

For the FortiGate-1800F <index> can be 0, 1, or 2:

  • 0, assign the interface to NP#0, the default, the interface is connected to the LAG. Traffic from the interface is distributed to both links.
  • 1, assign the interface to NP#0-link0, to connect the interface to NP7 link 0. Traffic from the interface is set to link 0.
  • 2, assign the interface to NP#0-link1, to connect the interface to NP7 link 1. Traffic from the interface is set to link 1.

For example, use the following syntax to assign the FortiGate-1800F front panel 100Gigabit interfaces 37 and 38 to NP#0-link0 and interfaces 39 and 40 to NP#0-link 1. The resulting configuration splits traffic from the 100Gigabit interfaces between the two NP7 links:

config system npu

config port-npu-map

edit port37

set npu-group-index 1

next

edit port38

set npu-group-index 1

next

edit port39

set npu-group-index 2

next

edit port40

set npu-group-index 2

end

end

You can use the diagnose npu np7 port-list command to see the current NPU port map configuration. While the FortiGate-1800F or 1801F is processing traffic, you can use the diagnose npu np7 cgmac-stats <npu-id> command to show how traffic is distributed to the NP7 links.

For example, after making the changes described in the example, the np_group column of the diagnose npu np7 port-list command output for port37 to port40 shows the new mapping:

diagnose npu np7 port-list
Front Panel Port:
Name     Max_speed(Mbps) Dflt_speed(Mbps) NP_group        group_from_vdom Switch_id SW_port_id SW_port_name 
-------- --------------- ---------------  --------------- --------------- --------- ---------- ------------ 
.
.
.
port37   100000          100000           NP#0-link0      1         29         xe25         
port38   100000          100000           NP#0-link0      1         25         xe24         
port39   100000          100000           NP#0-link1      1         33         xe26         
port40   100000          100000           NP#0-link1      1         37         xe27         
-------- --------------- ---------------  --------------- --------------- --------- ---------- ------------
Previous
Next

FortiGate 1800F and 1801F fast path architecture

The FortiGate 1800F and 1801F each include one NP7 processor. All front panel data interfaces and the NP7 processor connect to the integrated switch fabric (ISF). All data traffic passes from the data interfaces through the ISF to the NP7 processor. All supported traffic passing between any two data interfaces can be offloaded by the NP7 processor. Data traffic processed by the CPU takes a dedicated data path through the ISF and the NP7 processor to the CPU.

Note

FortiOS 7.4.0 included a software update that allows the FortiGate 1800F and 1801F interfaces 37 to 40 to be configured as 40 GigE QSFP+ or 100 GigE QSFP28 interfaces. You can set the interface speed to 40000full (40G full-duplex) and install 40G QSFP+ transceivers in these interfaces and operate them as 40G interfaces. You can also set the interface speed to 100Gfull (100G full-duplex) and install 100G QSFP28 transceivers in these interfaces and operate them as 100G QSFP28 interfaces.

The FortiGate 1800F and 1801F feature the following front panel interfaces:

  • Two 1 GigE RJ45 (MGMT1 and MGMT2), not connected to the NP7 processor.
  • Two 10 GigE SFP+ (HA1 and HA2), not connected to the NP7 processor.
  • Sixteen 10/100/1000BASE-T RJ45 (1 to 16).
  • Eight 1 GigE SFP (17 to 24).
  • Twelve 25/10 GigE SFP28/SFP+ (25 to 36), interface groups: 25 - 28, 29 - 32, and 33 - 36.
  • Four 100/40 GigE QSFP28/QSFP+ (37 to 40). Each of these interfaces can be split into four 25/10/1 GigE SFP28 interfaces.

The MGMT interfaces are not connected to the NP7 processor. Management traffic passes to the CPU over a dedicated management path that is separate from the data path. You can also dedicate separate CPU resources for management traffic to further isolate management processing from data processing (see Improving GUI and CLI responsiveness (dedicated management CPU)).

The HA interfaces are also not connected to the NP7 processor. To help provide better HA stability and resiliency, HA traffic uses a dedicated physical control path that provides HA control traffic separation from data traffic processing.

The separation of management and HA traffic from data traffic keeps management and HA traffic from affecting the stability and performance of data traffic processing.

You can use the following command to display the FortiGate 1800F or 1801F NP7 configuration. The command output shows a single NP7 named NP#0 is connected to all interfaces. This interface to NP7 mapping is also shown in the diagram above. 

diagnose npu np7 port-list
Front Panel Port:
Name     Max_speed(Mbps) Dflt_speed(Mbps) NP_group        group_from_vdom Switch_id SW_port_id SW_port_name 
-------- --------------- ---------------  --------------- --------------- --------- ---------- ------------ 
port1    1000            1000             NP#0            0         3          ge1          
port2    1000            1000             NP#0            0         2          ge0          
port3    1000            1000             NP#0            0         5          ge3          
port4    1000            1000             NP#0            0         4          ge2          
port5    1000            1000             NP#0            0         7          ge5          
port6    1000            1000             NP#0            0         6          ge4          
port7    1000            1000             NP#0            0         9          ge7          
port8    1000            1000             NP#0            0         8          ge6          
port9    1000            1000             NP#0            0         11         ge9          
port10   1000            1000             NP#0            0         10         ge8          
port11   1000            1000             NP#0            0         13         ge11         
port12   1000            1000             NP#0            0         12         ge10         
port13   1000            1000             NP#0            0         15         ge13         
port14   1000            1000             NP#0            0         14         ge12         
port15   1000            1000             NP#0            0         17         ge15         
port16   1000            1000             NP#0            0         16         ge14         
port17   1000            1000             NP#0            0         18         ge16         
port18   1000            1000             NP#0            0         19         ge17         
port19   1000            1000             NP#0            0         20         ge18         
port20   1000            1000             NP#0            0         21         ge19         
port21   1000            1000             NP#0            0         22         ge20         
port22   1000            1000             NP#0            0         23         ge21         
port23   1000            1000             NP#0            0         24         ge22         
port24   1000            1000             NP#0            0         25         ge23         
port25   25000           10000            NP#0            1         15         xe14         
port26   25000           10000            NP#0            1         16         xe15         
port27   25000           10000            NP#0            1         13         xe12         
port28   25000           10000            NP#0            1         14         xe13         
port29   25000           10000            NP#0            1         19         xe18         
port30   25000           10000            NP#0            1         20         xe19         
port31   25000           10000            NP#0            1         17         xe16         
port32   25000           10000            NP#0            1         18         xe17         
port33   25000           10000            NP#0            1         23         xe22         
port34   25000           10000            NP#0            1         24         xe23         
port35   25000           10000            NP#0            1         21         xe20         
port36   25000           10000            NP#0            1         22         xe21         
port37   100000          100000           NP#0            1         29         xe25         
port38   100000          100000           NP#0            1         25         xe24         
port39   100000          100000           NP#0            1         33         xe26         
port40   100000          100000           NP#0            1         37         xe27         
-------- --------------- ---------------  --------------- --------------- --------- ---------- ------------ 

NP Port:
Name   Switch_id SW_port_id SW_port_name 
------ --------- ---------- ------------ 
np0_0  1         41         ce0          
np0_1  1         45         ce1          
------ --------- ---------- ------------ 
* Max_speed: Maximum speed, Dflt_speed: Default speed
* SW_port_id: Switch port ID, SW_port_name: Switch port name

The command output also shows the maximum speeds of each interface. Also, interfaces 1 to 24 are connected to one switch and interfaces 25 to 40 are connected to another switch. Both of these switches make up the internal switch fabric, which connects the interfaces to the NP7 processor, the CPU, and the four CP9 processors.

The NP7 processor has a bandwidth capacity of 200 Gigabits. You can see from the command output that if all interfaces were operating at their maximum bandwidth the NP7 processor would not be able to offload all the traffic.

The FortiGate-1800F and 1801F can be licensed for hyperscale firewall support, see the Hyperscale Firewall Guide.

Interface groups and changing data interface speed, media type, or FEC setting

FortiGate-1800F and 1801F front panel data interfaces 25 to 36 are divided into the following groups:

  • port25 - port28
  • port29 - port32
  • port33 - port36

All of the interfaces in a group operate at the same speed, must have the same media type, and the same forward error control (FEC) setting. Changing the speed, media type, or FEC setting of an interface changes all of the interfaces in the same group. For example, if you change the speed of port26 from 10Gbps to 25Gbps the speeds of port25 to port28 are also changed to 25Gbps.

Another example, the default speed of the port25 to port36 interfaces is 10Gbps. If you want to install 25GigE transceivers in port29 to port36 to convert all of these data interfaces to connect to 25Gbps networks, you can enter the following from the CLI:

config system interface

edit port29

set speed 25000full

next

edit port33

set speed 25000full

end

Every time you change a data interface speed, when you enter the end command, the CLI confirms the range of interfaces affected by the change. For example, if you change the speed of port29 the following message appears:

config system interface

edit port29

set speed 25000full

end

The speed/mediatype/FEC of port29/port30/port31/port32 will be changed from 10000full/sr/disable to 25000full/sr/cl91-rs-fec.

Do you want to continue? (y/n)

Splitting the port37 to port40 interfaces

You can use the following command to split each FortiGate 1800F and 1801F 37 to 40 (port37 to port40) 100/40 GigE QSFP28 interface into four 25/10/1 GigE SFP28 interfaces. For example, to split interfaces 37 and 39 (port37 and port39), enter the following command:

config system global

set split-port port37 port39

end

The FortiGate 1800F and 1801F restarts and when it starts up:

  • The port37 interface has been replaced by four SFP28 interfaces named port37/1 to port37/4.

  • The port39 interface has been replaced by four SFP28 interfaces named port37/1 to port37/4.

Note

A configuration change that causes a FortiGate to restart can disrupt the operation of an FGCP cluster. If possible, you should make this configuration change to the individual FortiGates before setting up the cluster. If the cluster is already operating, you should temporarily remove the secondary FortiGate(s) from the cluster, change the configuration of the individual FortiGates and then re-form the cluster. You can remove FortiGate(s) from a cluster using the Remove Device from HA cluster button on the System > HA GUI page. For more information, see Disconnecting a FortiGate.

By default, the speed of each split interface is set to 10000full (10GigE). These interfaces can operate as 25GigE, 10GigE, or 1GigE interfaces depending on the transceivers and breakout cables. You can use the config system interface command to change the speeds of the split interfaces.

If you set the speed of one of the split interfaces to 25000full (25GigE), all of the interfaces are changed to operate at this speed (no restart required). If the split interfaces are set to 25000full and you change the speed of one of them to 10000full (10GigE) they are all changed to 10000full (no restart required). When the interfaces are operating at 10000full, you can change the speeds of individual interfaces to operate at 1000full (1GigE).

Configuring NPU port mapping

You can use the following command to configure FortiGate-1800F and 1801F NPU port mapping:

config system npu

config port-npu-map

edit <interface-name>

set npu-group-index <index>

end

You can use the port map to assign data interfaces to NP7 links.

Each NP7 has two 100-Gigabit KR links, numbered 0 and 1. Traffic passes to the NP7 over these links. By default the two links operate as a LAG that distributes sessions to the NP7 processor. You can configure the NPU port map to assign interfaces to use one or the other of the NP7 links instead of sending sessions over the LAG.

<index> varies depending on the NP7 processors available in your FortiGate.

For the FortiGate-1800F <index> can be 0, 1, or 2:

  • 0, assign the interface to NP#0, the default, the interface is connected to the LAG. Traffic from the interface is distributed to both links.
  • 1, assign the interface to NP#0-link0, to connect the interface to NP7 link 0. Traffic from the interface is set to link 0.
  • 2, assign the interface to NP#0-link1, to connect the interface to NP7 link 1. Traffic from the interface is set to link 1.

For example, use the following syntax to assign the FortiGate-1800F front panel 100Gigabit interfaces 37 and 38 to NP#0-link0 and interfaces 39 and 40 to NP#0-link 1. The resulting configuration splits traffic from the 100Gigabit interfaces between the two NP7 links:

config system npu

config port-npu-map

edit port37

set npu-group-index 1

next

edit port38

set npu-group-index 1

next

edit port39

set npu-group-index 2

next

edit port40

set npu-group-index 2

end

end

You can use the diagnose npu np7 port-list command to see the current NPU port map configuration. While the FortiGate-1800F or 1801F is processing traffic, you can use the diagnose npu np7 cgmac-stats <npu-id> command to show how traffic is distributed to the NP7 links.

For example, after making the changes described in the example, the np_group column of the diagnose npu np7 port-list command output for port37 to port40 shows the new mapping:

diagnose npu np7 port-list
Front Panel Port:
Name     Max_speed(Mbps) Dflt_speed(Mbps) NP_group        group_from_vdom Switch_id SW_port_id SW_port_name 
-------- --------------- ---------------  --------------- --------------- --------- ---------- ------------ 
.
.
.
port37   100000          100000           NP#0-link0      1         29         xe25         
port38   100000          100000           NP#0-link0      1         25         xe24         
port39   100000          100000           NP#0-link1      1         33         xe26         
port40   100000          100000           NP#0-link1      1         37         xe27         
-------- --------------- ---------------  --------------- --------------- --------- ---------- ------------
Previous
Next