Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Hardware Acceleration

    Home FortiGate / FortiOS 7.4.3 Hardware Acceleration
    7.4.3
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.1
    7.0.0
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.6
    6.4.5
    6.2.16
    6.2.15
    6.2.14
    6.2.13
    6.2.12
    6.2.9
    6.2.7
    6.0.18
    6.0.17
    6.0.16
    6.0.15
    6.0.14
    5.6.0

    Optimizing NP6 performance by distributing traffic to XAUI links

    Optimizing NP6 performance by distributing traffic to XAUI links

    On FortiGate units with NP6 processors, the FortiGate interfaces are switch ports that connect to the NP6 processors with XAUI links. Each NP6 processor has a 40-Gigabit bandwidth capacity. Traffic passes from the interfaces to each NP6 processor over four XAUI links. The four XAUI links each have a 10-Gigabit capacity for a total of 40 Gigabits.

    On many FortiGate units with NP6 processors, the NP6 processors and the XAUI links are over-subscribed. Since the NP6 processors are connected by an Integrated Switch Fabric, you do not have control over how traffic is distributed to them. In fact traffic is distributed evenly by the ISF.

    However, you can control how traffic is distributed to the XAUI links and you can optimize performance by distributing traffic evenly among the XAUI links. For example, if you have a very high amount of traffic passing between two networks, you can connect each network to interfaces connected to different XAUI links to distribute the traffic for each network to a different XAUI link.

    Example: FortiGate 3200D

    On the FortiGate 3200D (See FortiGate 3200D fast path architecture), there are 48 10-Gigabit interfaces that send and receive traffic for two NP6 processors over a total of eight 10-Gigabit XAUI links. Each XAUI link gets traffic from six 10-Gigabit FortiGate interfaces. The amount of traffic that the FortiGate 3200D can offload is limited by the number of NP6 processors and the number of XAUI links. You can optimize the amount of traffic that the FortiGate 3200D can process by distributing it evenly amount the XAUI links and the NP6 processors.

    You can see the Ethernet interface, XAUI link, and NP6 configuration by entering the get hardware npu np6 port-list command. For the FortiGate 3200D the output is:

    get hardware npu np6 port-list 
Chip   XAUI Ports   Max   Cross-chip 
                    Speed offloading 
------ ---- ------- ----- ---------- 
np6_0  0    port1   10G   Yes        
       0    port5   10G   Yes        
       0    port10  10G   Yes        
       0    port13  10G   Yes        
       0    port17  10G   Yes        
       0    port22  10G   Yes        
       1    port2   10G   Yes        
       1    port6   10G   Yes        
       1    port9   10G   Yes        
       1    port14  10G   Yes        
       1    port18  10G   Yes        
       1    port21  10G   Yes        
       2    port3   10G   Yes        
       2    port7   10G   Yes        
       2    port12  10G   Yes        
       2    port15  10G   Yes        
       2    port19  10G   Yes        
       2    port24  10G   Yes        
       3    port4   10G   Yes        
       3    port8   10G   Yes        
       3    port11  10G   Yes        
       3    port16  10G   Yes        
       3    port20  10G   Yes        
       3    port23  10G   Yes        
------ ---- ------- ----- ---------- 
np6_1  0    port26  10G   Yes        
       0    port29  10G   Yes        
       0    port33  10G   Yes        
       0    port37  10G   Yes        
       0    port41  10G   Yes        
       0    port45  10G   Yes        
       1    port25  10G   Yes        
       1    port30  10G   Yes        
       1    port34  10G   Yes        
       1    port38  10G   Yes        
       1    port42  10G   Yes        
       1    port46  10G   Yes        
       2    port28  10G   Yes        
       2    port31  10G   Yes        
       2    port35  10G   Yes        
       2    port39  10G   Yes        
       2    port43  10G   Yes        
       2    port47  10G   Yes        
       3    port27  10G   Yes        
       3    port32  10G   Yes        
       3    port36  10G   Yes        
       3    port40  10G   Yes        
       3    port44  10G   Yes        
       3    port48  10G   Yes        
------ ---- ------- ----- ----------

    In this command output you can see that each NP6 has for four XAUI links (0 to 3) and that each XAUI link is connected to six 10-gigabit Ethernet interfaces. To optimize throughput you should keep the amount of traffic being processed by each XAUI port to under 10 Gbps. So for example, if you want to offload traffic from four 10-gigabit networks you can connect these networks to Ethernet interfaces 1, 2, 3 and 4. This distributes the traffic from each 10-Gigabit network to a different XAUI link. Also, if you wanted to offload traffic from four more 10-Gigabit networks you could connect them to Ethernet ports 26, 25, 28, and 27. As a result each 10-Gigabit network would be connected to a different XAUI link.

    Example FortiGate 3300E

    On the FortiGate 3300E (See FortiGate 3300E and 3301E fast path architecture), there are 34 data interfaces of various speeds that send and receive traffic for four NP6 processors over a total of sixteen 10-Gigabit XAUI links. The amount of traffic that the FortiGate 3300E can offload is limited by the number of NP6 processors and the number of XAUI links. You can optimize the amount of traffic that the FortiGate 3300E can process by distributing it evenly amount the XAUI links and the NP6 processors.

    You can see the FortiGate 3300E Ethernet interface, XAUI link, and NP6 configuration by entering the get hardware npu np6 port-list command. For the FortiGate 3300E the output is:

    get hardware npu np6 port-list
Chip   XAUI Ports            Max   Cross-chip 
                             Speed offloading 
------ ---- -------          ----- ---------- 
np6_0  0    port1            1G    Yes        
       0    port14           10G   Yes        
       1    port2            1G    Yes        
       1    port15           10G   Yes        
       2    port3            1G    Yes        
       2    port16           10G   Yes        
       3    port13           10G   Yes        
       0-3  port17           25G   Yes        
       0-3  port31           40G   Yes        
------ ---- -------          ----- ---------- 
np6_1  0    port4            1G    Yes        
       1    port5            1G    Yes        
       2    port6            1G    Yes        
       3    
       0-3  port18           25G   Yes        
       0-3  port19           25G   Yes        
       0-3  port20           25G   Yes        
       0-3  port24           25G   Yes        
       0-3  port23           25G   Yes        
       0-3  port32           40G   Yes        
------ ---- -------          ----- ---------- 
np6_2  0    port7            1G    Yes        
       1    port8            1G    Yes        
       2    port9            1G    Yes        
       3    
       0-3  port22           25G   Yes        
       0-3  port21           25G   Yes        
       0-3  port26           25G   Yes        
       0-3  port25           25G   Yes        
       0-3  port28           25G   Yes        
       0-3  port33           40G   Yes        
------ ---- -------          ----- ---------- 
np6_3  0    port10           1G    Yes        
       1    port11           1G    Yes        
       2    port12           1G    Yes        
       2    port29           10G   Yes        
       3    port30           10G   Yes        
       0-3  port27           25G   Yes        
       0-3  port34           40G   Yes        
------ ---- -------          ----- ----------

    In this command output you can see that each NP6 has four XAUI links (0 to 3) and the mapping between XAUI ports and interfaces is different for each NP6 processor.

    NP6_0 has the following XAUI mapping:

    • port1 (1G) and port14 (10G) are connected to XAUI link 0.
    • port2 (1G) and port15 (10G) are connected to XAUI link 1.
    • port3 (1G) and port16 (10G) are connected to XAUI link 2.
    • port13 (10G) is connected to XAUI link 3.
    • port17 (25G) and port31 (40G) are connect to all four of the XAUI links (0-3).

    The interfaces connected to NP6_0 have a total capacity of 108G, but NP6_0 has total capacity of 40G. For optimal performance, no more than 40G of this capacity should be used or performance will be affected. For example, if you connect port31 to a busy 40G network you should avoid using any of the other ports connected to NP6_0. If you connect port17 to a 25G network, you can also connect one or two 10G interfaces (for example, port14 and 15). You can connect port13, port14, port15, and port16 to four 10G networks if you avoid using any of the other interfaces connected to NP6_0.

    Previous
    Next

    Optimizing NP6 performance by distributing traffic to XAUI links

    Optimizing NP6 performance by distributing traffic to XAUI links

    On FortiGate units with NP6 processors, the FortiGate interfaces are switch ports that connect to the NP6 processors with XAUI links. Each NP6 processor has a 40-Gigabit bandwidth capacity. Traffic passes from the interfaces to each NP6 processor over four XAUI links. The four XAUI links each have a 10-Gigabit capacity for a total of 40 Gigabits.

    On many FortiGate units with NP6 processors, the NP6 processors and the XAUI links are over-subscribed. Since the NP6 processors are connected by an Integrated Switch Fabric, you do not have control over how traffic is distributed to them. In fact traffic is distributed evenly by the ISF.

    However, you can control how traffic is distributed to the XAUI links and you can optimize performance by distributing traffic evenly among the XAUI links. For example, if you have a very high amount of traffic passing between two networks, you can connect each network to interfaces connected to different XAUI links to distribute the traffic for each network to a different XAUI link.

    Example: FortiGate 3200D

    On the FortiGate 3200D (See FortiGate 3200D fast path architecture), there are 48 10-Gigabit interfaces that send and receive traffic for two NP6 processors over a total of eight 10-Gigabit XAUI links. Each XAUI link gets traffic from six 10-Gigabit FortiGate interfaces. The amount of traffic that the FortiGate 3200D can offload is limited by the number of NP6 processors and the number of XAUI links. You can optimize the amount of traffic that the FortiGate 3200D can process by distributing it evenly amount the XAUI links and the NP6 processors.

    You can see the Ethernet interface, XAUI link, and NP6 configuration by entering the get hardware npu np6 port-list command. For the FortiGate 3200D the output is:

    get hardware npu np6 port-list 
Chip   XAUI Ports   Max   Cross-chip 
                    Speed offloading 
------ ---- ------- ----- ---------- 
np6_0  0    port1   10G   Yes        
       0    port5   10G   Yes        
       0    port10  10G   Yes        
       0    port13  10G   Yes        
       0    port17  10G   Yes        
       0    port22  10G   Yes        
       1    port2   10G   Yes        
       1    port6   10G   Yes        
       1    port9   10G   Yes        
       1    port14  10G   Yes        
       1    port18  10G   Yes        
       1    port21  10G   Yes        
       2    port3   10G   Yes        
       2    port7   10G   Yes        
       2    port12  10G   Yes        
       2    port15  10G   Yes        
       2    port19  10G   Yes        
       2    port24  10G   Yes        
       3    port4   10G   Yes        
       3    port8   10G   Yes        
       3    port11  10G   Yes        
       3    port16  10G   Yes        
       3    port20  10G   Yes        
       3    port23  10G   Yes        
------ ---- ------- ----- ---------- 
np6_1  0    port26  10G   Yes        
       0    port29  10G   Yes        
       0    port33  10G   Yes        
       0    port37  10G   Yes        
       0    port41  10G   Yes        
       0    port45  10G   Yes        
       1    port25  10G   Yes        
       1    port30  10G   Yes        
       1    port34  10G   Yes        
       1    port38  10G   Yes        
       1    port42  10G   Yes        
       1    port46  10G   Yes        
       2    port28  10G   Yes        
       2    port31  10G   Yes        
       2    port35  10G   Yes        
       2    port39  10G   Yes        
       2    port43  10G   Yes        
       2    port47  10G   Yes        
       3    port27  10G   Yes        
       3    port32  10G   Yes        
       3    port36  10G   Yes        
       3    port40  10G   Yes        
       3    port44  10G   Yes        
       3    port48  10G   Yes        
------ ---- ------- ----- ----------

    In this command output you can see that each NP6 has for four XAUI links (0 to 3) and that each XAUI link is connected to six 10-gigabit Ethernet interfaces. To optimize throughput you should keep the amount of traffic being processed by each XAUI port to under 10 Gbps. So for example, if you want to offload traffic from four 10-gigabit networks you can connect these networks to Ethernet interfaces 1, 2, 3 and 4. This distributes the traffic from each 10-Gigabit network to a different XAUI link. Also, if you wanted to offload traffic from four more 10-Gigabit networks you could connect them to Ethernet ports 26, 25, 28, and 27. As a result each 10-Gigabit network would be connected to a different XAUI link.

    Example FortiGate 3300E

    On the FortiGate 3300E (See FortiGate 3300E and 3301E fast path architecture), there are 34 data interfaces of various speeds that send and receive traffic for four NP6 processors over a total of sixteen 10-Gigabit XAUI links. The amount of traffic that the FortiGate 3300E can offload is limited by the number of NP6 processors and the number of XAUI links. You can optimize the amount of traffic that the FortiGate 3300E can process by distributing it evenly amount the XAUI links and the NP6 processors.

    You can see the FortiGate 3300E Ethernet interface, XAUI link, and NP6 configuration by entering the get hardware npu np6 port-list command. For the FortiGate 3300E the output is:

    get hardware npu np6 port-list
Chip   XAUI Ports            Max   Cross-chip 
                             Speed offloading 
------ ---- -------          ----- ---------- 
np6_0  0    port1            1G    Yes        
       0    port14           10G   Yes        
       1    port2            1G    Yes        
       1    port15           10G   Yes        
       2    port3            1G    Yes        
       2    port16           10G   Yes        
       3    port13           10G   Yes        
       0-3  port17           25G   Yes        
       0-3  port31           40G   Yes        
------ ---- -------          ----- ---------- 
np6_1  0    port4            1G    Yes        
       1    port5            1G    Yes        
       2    port6            1G    Yes        
       3    
       0-3  port18           25G   Yes        
       0-3  port19           25G   Yes        
       0-3  port20           25G   Yes        
       0-3  port24           25G   Yes        
       0-3  port23           25G   Yes        
       0-3  port32           40G   Yes        
------ ---- -------          ----- ---------- 
np6_2  0    port7            1G    Yes        
       1    port8            1G    Yes        
       2    port9            1G    Yes        
       3    
       0-3  port22           25G   Yes        
       0-3  port21           25G   Yes        
       0-3  port26           25G   Yes        
       0-3  port25           25G   Yes        
       0-3  port28           25G   Yes        
       0-3  port33           40G   Yes        
------ ---- -------          ----- ---------- 
np6_3  0    port10           1G    Yes        
       1    port11           1G    Yes        
       2    port12           1G    Yes        
       2    port29           10G   Yes        
       3    port30           10G   Yes        
       0-3  port27           25G   Yes        
       0-3  port34           40G   Yes        
------ ---- -------          ----- ----------

    In this command output you can see that each NP6 has four XAUI links (0 to 3) and the mapping between XAUI ports and interfaces is different for each NP6 processor.

    NP6_0 has the following XAUI mapping:

    • port1 (1G) and port14 (10G) are connected to XAUI link 0.
    • port2 (1G) and port15 (10G) are connected to XAUI link 1.
    • port3 (1G) and port16 (10G) are connected to XAUI link 2.
    • port13 (10G) is connected to XAUI link 3.
    • port17 (25G) and port31 (40G) are connect to all four of the XAUI links (0-3).

    The interfaces connected to NP6_0 have a total capacity of 108G, but NP6_0 has total capacity of 40G. For optimal performance, no more than 40G of this capacity should be used or performance will be affected. For example, if you connect port31 to a busy 40G network you should avoid using any of the other ports connected to NP6_0. If you connect port17 to a 25G network, you can also connect one or two 10G interfaces (for example, port14 and 15). You can connect port13, port14, port15, and port16 to four 10G networks if you avoid using any of the other interfaces connected to NP6_0.

    Previous
    Next