FortiGate 3500G and 3501G fast path architecture
The FortiGate 3500G and 3501G each include three NP7 processors and eight CP10 processors. All front panel data interfaces, front panel HA interfaces and the NP7 processors connect to the integrated switch fabric (ISF). All data traffic passes from the data interfaces through the ISF to the NP7 processors. Because of the ISF, all supported traffic passing between any two data interfaces can be offloaded by the NP7 processors. Data traffic processed by the CPU takes a dedicated data path through the ISF and an NP7 processor to the CPU.
The FortiGate 3500G and 3501G models feature the following front panel interfaces:
- Two 10G/5G/2.5G/1G/100M BASE-T RJ45 (MGMT1 and MGMT2, not connected to the NP7 processors).
- Thirty 25/10 GigE SFP28 (HA1, HA2, WAN1, WAN2, 1 to 26).
- Four 100/40 GigE QSFP28 (27 to 30). Each of these interfaces can be split into four 25/10/1 GigE SFP28 interfaces.
- Two 400/200/100/40 GigE QSFP-DD (31 and 32). Each of these interfaces can be split into eight 50GigE interfaces, four 100 GigE interfaces, or two 200 GigE interfaces.
The MGMT interfaces are not connected to the NP7 processors. Management traffic passes to the CPU over a dedicated management path that is separate from the data path. You can also dedicate separate CPU resources for management traffic to further isolate management processing from data processing (see Improving GUI and CLI responsiveness (dedicated management CPU)).
The HA interfaces are connected to the ISF and NP7 processors.
The separation of management traffic from data traffic keeps management traffic from affecting the stability and performance of data traffic processing.
You can use the following command to display the FortiGate 3500G and 3501G NP7 configuration. The command output shows that the NP7s are connected to the HA interfaces (HA1_np and HA2_np) and to all data interfaces.
diag npu np7 port-list Front Panel Port: Name Max_speed(Mbps) Dflt_speed(Mbps) Sw_Trunk_Id Sw_Tcam_Id Group_from_vdom Switch_id SW_port_id SW_port_name -------- --------------- --------------- --------------- ---------- --------------- --------- ---------- ------------ HA1_np 10000 10000 8 1 1 0 13 n/a HA2_np 10000 10000 8 2 1 0 14 n/a wan1 25000 25000 8 3 1 0 15 n/a wan2 25000 25000 8 4 1 0 16 n/a port1 25000 25000 8 5 1 0 17 n/a port2 25000 25000 8 6 1 0 18 n/a port3 25000 25000 8 7 1 0 20 n/a port4 25000 25000 8 8 1 0 21 n/a port5 25000 25000 8 9 1 0 22 n/a port6 25000 25000 8 10 1 0 23 n/a port7 25000 25000 8 11 1 0 24 n/a port8 25000 25000 8 12 1 0 25 n/a port9 25000 25000 8 13 1 0 26 n/a port10 25000 25000 8 14 1 0 27 n/a port11 25000 25000 8 15 1 0 28 n/a port12 25000 25000 8 16 1 0 29 n/a port13 25000 25000 8 17 1 0 30 n/a port14 25000 25000 8 18 1 0 31 n/a port15 25000 25000 8 19 1 0 32 n/a port16 25000 25000 8 20 1 0 33 n/a port17 25000 25000 8 21 1 0 34 n/a port18 25000 25000 8 22 1 0 35 n/a port19 25000 25000 8 23 1 0 40 n/a port20 25000 25000 8 24 1 0 41 n/a port21 25000 25000 8 25 1 0 42 n/a port22 25000 25000 8 26 1 0 43 n/a port23 25000 25000 8 27 1 0 44 n/a port24 25000 25000 8 28 1 0 45 n/a port25 25000 25000 8 29 1 0 46 n/a port26 25000 25000 8 30 1 0 47 n/a port27 100000 100000 8 31 1 0 48 n/a port28 100000 100000 8 32 1 0 62 n/a port29 100000 100000 8 33 1 0 52 n/a port30 100000 100000 8 34 1 0 66 n/a port31 400000 400000 8 35 1 0 1 n/a port32 400000 400000 8 36 1 0 70 n/a -------- --------------- --------------- --------------- ---------- --------------- --------- ---------- ------------ Name sw_id hash nr_link valid default sw_tid -------- --------------------------------------- -------- --------------------------------------- NP Port: Name Switch_id SW_port_id SW_port_name ------ --------- ---------- ------------ np0_0 0 7 n/a np0_1 0 8 n/a np1_0 0 9 n/a np1_1 0 10 n/a np2_0 0 60 n/a np2_1 0 61 n/a ------ --------- ---------- ------------ * Max_speed: Maximum speed, Dflt_speed: Default speed * SW_port_id: Switch port ID, SW_port_name: Switch port name
The command output also shows the maximum and default speeds of each interface.
The integrated switch fabric distributes sessions from the data interfaces to the NP7 processors. The three NP7 processors have a bandwidth capacity of 200Gigabit x 3 = 600 Gigabit. If all interfaces were operating at their maximum bandwidth, the NP7 processors would not be able to offload all the traffic. You can use NPU port mapping to control how sessions are distributed to NP7 processors.
You can add LAGs to improve performance. For details, see Increasing NP7 offloading capacity using link aggregation groups (LAGs).
The FortiGate-3500G and 3501G can be licensed for hyperscale firewall support, see the Hyperscale Firewall Guide.
Splitting the port27 to port30 interfaces
You can use the following command to split each FortiGate 3500G and 3501G 27 to 30 (port27 to port30) 100/40 GigE QSFP28 interface into four 25/10/1 GigE SFP28 interfaces. For example, to split interfaces 28 and 29 (port29 and port29), enter the following command:
config system global
set split-port port28 port29
end
The FortiGate 3500G and 3501G restarts and when it starts up:
-
The port28 interface has been replaced by four SFP28 interfaces named port28/1 to port28/4.
-
The port29 interface has been replaced by four SFP28 interfaces named port29/1 to port29/4.
|
A configuration change that causes a FortiGate to restart can disrupt the operation of an FGCP cluster. If possible, you should make this configuration change to the individual FortiGates before setting up the cluster. If the cluster is already operating, you should temporarily remove the secondary FortiGate(s) from the cluster, change the configuration of the individual FortiGates and then re-form the cluster. You can remove FortiGate(s) from a cluster using the Remove Device from HA cluster button on the System > HA GUI page. For more information, see Disconnecting a FortiGate. |
By default, the speed of each split interface is set to 10000full (10GigE). These interfaces can operate as 25GigE, 10GigE, or 1GigE interfaces depending on the transceivers and breakout cables. You can use the config system interface command to change the speeds of the split interfaces.
If you set the speed of one of the split interfaces to 25000full (25GigE), all of the interfaces are changed to operate at this speed (no restart required). If the split interfaces are set to 25000full and you change the speed of one of them to 10000full (10GigE) they are all changed to 10000full (no restart required). When the interfaces are operating at 10000full, you can change the speeds of individual interfaces to operate at 1000full (1GigE).
Splitting the port31 and port32 interfaces
You can use the following command to split each FortiGate 3500G or 3501G 31 and 32 (port31 to port32) 400/200/100/40 GigE QSFP-DD interface.
config system global
config split-port-mode
edit port31
set split-mode {disable | 8x50G | 4x100G | 2x200G}
end
disable restore a split interface to the default (not split) configuration.
8x50G split the interface into eight 50GigE interfaces.
4x100G split the interface into four 100GigE interfaces.
2x200G split the interface into two 200 GigE interfaces.
After splitting one or both of the interfaces, the FortiGate 3500G or 3501G restarts and when it starts up the split interfaces are available.
|
|
A configuration change that causes a FortiGate to restart can disrupt the operation of an FGCP cluster. If possible, you should make this configuration change to the individual FortiGates before setting up the cluster. If the cluster is already operating, you should temporarily remove the secondary FortiGate(s) from the cluster, change the configuration of the individual FortiGates and then re-form the cluster. You can remove FortiGate(s) from a cluster using the Remove Device from HA cluster button on the System > HA GUI page. For more information, see Disconnecting a FortiGate. |
For example, use the following command to split the port32 interface into eight 50GigE interfaces:
config system global
config split-port-mode
edit port32
set split-mode 8x50G
end
The FortiGate 3500G or 3501G restarts and when it starts up the port32 interface has been replaced by eight 50 GigE interfaces named port32/1 to port32/8.
By default, the speed of each split interface is set to 50000full (50GigE). These interfaces can operate as 25GigE, 10GigE, or 1GigE interfaces depending on the transceivers and breakout cables. You can use the config system interface command to change the speeds of the split interfaces.
Configuring FortiGate 3500G and 3501G NPU port mapping
The default FortiGate-3500G and 3501G port mapping configuration results in sessions passing from front panel data interfaces to the integrated switch fabric. The integrated switch fabric distributes these sessions among the NP7 processors. Each NP7 processor is connected to the switch fabric with a LAG that consists of two 100-Gigabitinterfaces. The integrated switch fabric distributes sessions to the LAGs and each LAG distributes sessions between the two interfaces connected to the NP7 processor.
You can use NPU port mapping to override how data network interface sessions are distributed to NP7 processors. For example, you can set up NPU port mapping to send all traffic from a front panel data interface or LAG to a specific NP7 processor or group of NP7 processors, or a single NP7 link.
|
|
On the FortiGate 3500G and 3501G you can configure ISF load balancing to change the algorithm that the ISF uses to distribute data interface sessions to NP7 processors. ISF load balancing is configured for an interface, and distributes sessions from that interface to all NP7 processor LAGs. If you have configured NPU port mapping, ISF load balancing distributes sessions from the interface to the NP7 processors and links in the NPU port mapping configuration for that interface. See Configuring ISF load balancing. |
Use the following command to configure FortiGate-3500G and 3501G NPU port mapping:
config system npu-post
config port-npu-map
edit <interface-name>
set npu-group {All-NP | NP0 | NP1 | NP2 | NP0-to-NP1 | NP1-to-NP2 | NP0-to-NP2 | NP0-link0 | NP0-link1 | NP1-link0 | NP1-link1 | NP2-link0 | NP2-link1} ...
end
end
end
<interface-name> can be a physical interface or a LAG.
All-NP, (the default) distribute sessions among all three NP7 LAGs.
NP0, distribute sessions to the LAG connected to NP0.
NP1, distribute sessions to the LAG connected to NP1.
NP2, distribute sessions to the LAG connected to NP2.
NP0-to-NP1, distribute sessions between the LAG connected to NP0 and the LAG connected to NP1.
NP1-to-NP2, distribute sessions between the LAG connected to NP1 and the LAG connected to NP1.
NP0-to-NP2, distribute sessions among the LAG connected to NP0, the LAG connected to NP1, and the LAG connected to NP2.
NP0-link0, send sessions to NP0 link 0.
NP0-link1, send sessions to NP0 link 1.
NP1-link0, send sessions to NP1 link 0.
NP1-link1, send sessions to NP1 link 1.
NP2-link0, send sessions to NP2 link 0.
NP2-link1, send sessions to NP2 link 1.
NP0-link0, send sessions to NP0 link 0.
NP0-link1, send sessions to NP0 link 1.
NP1-link0, send sessions to NP1 link 0.
NP1-link1, send sessions to NP1 link 1.
NP2-link0, send sessions to NP1 link 0.
NP2-link1, send sessions to NP1 link 1.
You can add multiple group names to map traffic to multiple groups of NP7 processors and NP7 processor links. For example, use the following command to distribute sessions from port23 to NP0-link1 and NP1-link1:
config system npu-post
config port-npu-map
edit port23
set npu-group NP0-link1 NP1-link1
end
end
end
Group names can't overlap, for example you can't map an interface to both NP0 and NP0-link1.
For example, use the following syntax to assign the FortiGate-3500G port21 and port22 interfaces to NP0 and port23 and port24 to NP1:
config system npu-post
config port-npu-map
edit port21
set npu-group NP0
next
edit port22
set npu-group NP0
next
edit port23
set npu-group NP1
next
edit port24
set npu-group NP1
end
end
While the FortiGate-3500G or 3501G is processing traffic, you can use the diagnose npu np7 cgmac-stats <npu-id> command to show how traffic is distributed to the NP7 links.
You can use the diagnose npu np7 port-list command to see the current NPU port map configuration. For example, after making the changes described in the example, the output of the diagnose npu np7 port-list command shows different Sw_Trunk_Ids for port21 to port24 and these interfaces are listed in a port mapping summary at the bottom of the command output.