Fortinet black logo

Hyperscale Firewall Guide

Home FortiGate / FortiOS 6.2.6 Hyperscale Firewall Guide
6.2.6
7.4.3
7.4.2
7.4.1
7.4.0
7.2.8
7.2.7
7.2.6
7.2.5
7.2.4
7.2.3
7.2.2
7.2.1
7.0.15
7.0.14
7.0.13
7.0.12
7.0.11
7.0.10
7.0.9
7.0.8
7.0.7
7.0.6
7.0.5
6.4.15
6.4.14
6.4.13
6.4.12
6.4.11
6.4.10
6.4.9
6.4.8
6.4.6
6.2.9
6.2.7
6.2.6

Optimizing hardware logging performance using AUX interfaces

Optimizing hardware logging performance using AUX interfaces

The FortiGate-4200F, 4201F, 4400F, and 4401F models include AUX1 and AUX2 interfaces that can be used for hardware logging. To use these interfaces for hardware logging you must use the following command:

config system npu

config port-path-option

set ports-using-npu {aux1 aux2}

end

ports-using-npu select one or more interfaces to use for hardware logging.

Note

Changing the port-path-option configuration restarts the FortiGate, temporarily interrupting traffic. If you have two FortiGates in an FGCP HA cluster, you should remove the backup FortiGate from the cluster, change the port-path-option configuration on both FortiGates, and then after they restart, add the backup FortiGate back to the cluster.

For example, select AUX1 or AUX2 for hardware logging. When you add AUX1 or AUX2 to this list, hardware logging packets can be sent directly from NP7 processors over the ISF to that interface, bypassing the CPU. If you don't add interfaces to this list, the CPU is not bypassed, resulting in lower hardware logging performance. Using AUX1 or AUX2 for hardware logging may also improve hardware logging performance by separating logging traffic from data traffic.

Note

You can also use this command to improve HA heartbeat and session sync performance. See Optimizing HA hardware session synchronization performance.

You can use multiple interfaces for hardware logging. Each interface must have an IP address and be able to communicate with your logging servers. The interfaces that you use for hardware logging should not be used for any other traffic.

For example, create the following configuration to use the AUX1 and AUX2 interfaces for hardware logging.

config system npu

config port-path-option

set ports-using-npu aux1 aux2

end

Previous
Next

Optimizing hardware logging performance using AUX interfaces

The FortiGate-4200F, 4201F, 4400F, and 4401F models include AUX1 and AUX2 interfaces that can be used for hardware logging. To use these interfaces for hardware logging you must use the following command:

config system npu

config port-path-option

set ports-using-npu {aux1 aux2}

end

ports-using-npu select one or more interfaces to use for hardware logging.

Note

Changing the port-path-option configuration restarts the FortiGate, temporarily interrupting traffic. If you have two FortiGates in an FGCP HA cluster, you should remove the backup FortiGate from the cluster, change the port-path-option configuration on both FortiGates, and then after they restart, add the backup FortiGate back to the cluster.

For example, select AUX1 or AUX2 for hardware logging. When you add AUX1 or AUX2 to this list, hardware logging packets can be sent directly from NP7 processors over the ISF to that interface, bypassing the CPU. If you don't add interfaces to this list, the CPU is not bypassed, resulting in lower hardware logging performance. Using AUX1 or AUX2 for hardware logging may also improve hardware logging performance by separating logging traffic from data traffic.

Note

You can also use this command to improve HA heartbeat and session sync performance. See Optimizing HA hardware session synchronization performance.

You can use multiple interfaces for hardware logging. Each interface must have an IP address and be able to communicate with your logging servers. The interfaces that you use for hardware logging should not be used for any other traffic.

For example, create the following configuration to use the AUX1 and AUX2 interfaces for hardware logging.

config system npu

config port-path-option

set ports-using-npu aux1 aux2

end

Previous
Next