Viewing your FortiGate’s NP4 configuration

To list the NP4 network processors on your FortiGate unit, use the following CLI command.

get hardware npu np4 list

The output lists the interfaces that have NP4 processors. For example, for a FortiGate-5001C:

get hardware npu np4 list

ID   Model        Slot      Interface

0    On-board                port1 port2 port3 port4

fabric1 base1 npu0-vlink0 npu0-vlink1

1    On-board                port5 port6 port7 port8

fabric2 base2 npu1-vlink0 npu1-vlink1

 

NP4lite CLI commands (disabling NP4Lite offloading)

If your FortiGate unit includes an NP4Lite processor the following commands will be available:

Use the following command to disable or enable NP4Lite offloading. By default NP4lite offloading is enabled. If you want to disable NP4Lite offloading to diagnose a problem enter:

diagnose npu nplite fastpath disable

This command disables NP4Lite offloading until your FortiGate reboots. You can also re-enable offloading by entering the following command:

 

diagnose npu nplite fastpath enable

NP4lite debug command. Use the following command to debug NP4Lite operation:

diagnose npl npl_debug {<parameters>}

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

NP4 Acceleration

NP4 network processors provide fastpath acceleration by offloading communication sessions from the FortiGate CPU. When the first packet of a new session is received by an interface connected to an NP4 processor, just like any session connecting with any FortiGate interface, the session is forwarded to the FortiGate CPU where it is matched with a security policy. If the session is accepted by a security policy and if the session can be offloaded its session key is copied to the NP4 processor that received the packet. All of the rest of the packets in the session are intercepted by the NP4 processor and fast-pathed out of the FortiGate unit to their destination without ever passing through the FortiGate CPU. The result is enhanced network performance provided by the NP4 processor plus the network processing load is removed from the CPU. In addition, the NP4 processor can handle some CPU intensive tasks, like IPsec VPN encryption/decryption.

Session keys (and IPsec SA keys) are stored in the memory of the NP4 processor that is connected to the interface that received the packet that started the session. All sessions are fast-pathed and accelerated, even if they exit the FortiGate unit through an interface connected to another NP4. The key to making this possible is the Integrated Switch Fabric (ISF) that connects the NP4s and the FortiGate unit interfaces together. The ISF allows any port connectivity. All ports and NP4s can communicate with each other over the ISF.

There are no special ingress and egress fast path requirements because traffic enters and exits on interfaces connected to the same ISF. Most FortiGate models with multiple NP4 processors connect all interfaces and NP4 processors to the same ISF (except management interfaces) so this should not ever be a problem.

There is one limitation to keep in mind; the capacity of each NP4 processor. An individual NP4 processor has a capacity of 20 Gbps (10 Gbps ingress and 10 Gbps egress). Once an NP4 processor hits its limit, sessions that are over the limit are sent to the CPU. You can avoid this problem by as much as possible distributing incoming sessions evenly among the NP4 processors. To be able to do this you need to be aware of which interfaces connect to which NP4 processors and distribute incoming traffic accordingly.

Some FortiGate units contain one NP4 processor with all interfaces connected to it and to the ISF. As a result, offloading is supported for traffic between any pair of interfaces.

Some FortiGate units include NP4Lite processors. These network processors have the same functionality and limitations as NP4 processors but with about half the performance. NP4lite processors can be found in mid-range FortiGate models such as the FortiGate-200D and 240D.

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

FortiGate–3000D fast path architecture

The FortiGate-3000D features 16 front panel SFP+ 10Gb interfaces connected to two NP6 processors through an

Integrated Switch Fabirc (ISF). The FortiGate-3000D has the following fastpath architecture:

l  8 SFP+ 10Gb interfaces, port1 through port8 share connections to the first NP6 processor (np6_0).

l  8 SFP+ 10Gb interfaces, port9 through port16 share connections to the second NP6 processor (np6_1).

CONSOLE

MGMT 1

1                   3                   5

SFP+

7                   9

11                 13                 15

 

STATUS ALARM HA

 

POWER

USB

MGMT 2

2                   4                   6

8                  10                 12

14                 16

 

 

Integrated Switch Fabric

FortiASIC NP6

FortiASIC NP6

 

 

Sys

System Bus

 

CP8

CPU

CP8

 

CP8                                                    CP8

 

You can use the following get command to display the FortiGate-3000D NP6 configuration. The command output shows two NP6s named NP6_0 and NP6_1 and the interfaces (ports) connected to each NP6. You can also use the diagnose npu np6 port-list command to display this information.

 

get hardware npu np6 port-list

Chip   XAUI Ports   Max   Cross-chip

Speed offloading

—— —- ——- —– ———- np6_0  0    port1   10G   Yes

0    port6   10G   Yes

1    port2   10G   Yes

1    port5   10G   Yes

2    port3   10G   Yes

2    port8   10G   Yes

3    port4   10G   Yes

3    port7   10G   Yes

—— —- ——- —– ———- np6_1  0    port10  10G   Yes

0    port13  10G   Yes

1    port9   10G   Yes

1    port14  10G   Yes

2    port12  10G   Yes

 

2    port15  10G   Yes

3    port11  10G   Yes

3    port16  10G   Yes

—— —- ——- —– ———-

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

FortiGate–1500DT fast path architecture

The FortiGate-1500DT features two NP6 processors both connected to an integrated switch fabric. The FortiGate-1500DT has the same hardware configuration as the FortiGate-1500D, but with the addition of newer CPUs and DPDK technology that improves IPS performance.

The FortiGate-1500DT includes the following interfaces and NP6 processors:

• Eight SFP 1Gb interfaces (port1-port8), eight RJ-45 Ethernet ports (port17-24) and four SFP+ 10Gb interfaces (port33-port36) share connections to the first NP6 processor.
• Eight SFP 1Gb interfaces (port9-port16), eight RJ-45 Ethernet ports (port25-32) and four SFP+ 10Gb interfaces (port37-port40) share connections to the second NP6 processor.

 

 

Integrated Switch Fabric

FortiASIC NP6

FortiASIC NP6

 

Sys

System Bus

CP8

CPU

CP8

You can use the following get command to display the FortiGate-1500DT NP6 configuration. The command output shows two NP6s named NP6_0 and NP6_1. The output also shows the interfaces (ports) connected to each NP6. You can also use the diagnose npu np6 port-list command to display this information.

get hardware npu np6 port-list

Chip   XAUI Ports   Max   Cross-chip

Speed offloading

—— —- ——- —– ———- np6_0  0    port1   1G    Yes

0    port5   1G    Yes

0    port17  1G    Yes

0    port21  1G    Yes

0    port33  10G   Yes

1    port2   1G    Yes

1    port6   1G    Yes

1    port18  1G    Yes

1    port22  1G    Yes

1    port34  10G   Yes

2    port3   1G    Yes

2    port7   1G    Yes

2    port19  1G    Yes

2    port23  1G    Yes

2    port35  10G   Yes

3    port4   1G    Yes

3    port8   1G    Yes

3    port20  1G    Yes

3    port24  1G    Yes

3    port36  10G   Yes

—— —- ——- —– ———- np6_1  0    port9   1G    Yes

0    port13  1G    Yes

0    port25  1G    Yes

0    port29  1G    Yes

0    port37  10G   Yes

1    port10  1G    Yes

1    port14  1G    Yes

1    port26  1G    Yes

1    port30  1G    Yes

1    port38  10G   Yes

2    port11  1G    Yes

2    port15  1G    Yes

2    port27  1G    Yes

2    port31  1G    Yes

2    port39  10G   Yes

3    port12  1G    Yes

3    port16  1G    Yes

3    port28  1G    Yes

3    port32  1G    Yes

3    port40  10G   Yes

—— —- ——- —– ———-

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

FortiGate–1500D fast path architecture

The FortiGate-1500D features two NP6 processors both connected to an integrated switch fabric.

• Eight SFP 1Gb interfaces (port1-port8), eight RJ-45 Ethernet ports (port17-24) and four SFP+ 10Gb interfaces (port33-port36) share connections to the first NP6 processor.
• Eight SFP 1Gb interfaces (port9-port16), eight RJ-45 Ethernet ports (port25-32) and four SFP+ 10Gb interfaces (port37-port40) share connections to the second NP6 processor.

FortiGate 1500D

CONSOLE

MGMT 1

1                        3                        5                        7

9                       11

13                      15                                   17                      19

21                      23                                   25                      27

29                      31

10G SFP+

33                      35                      37                      39

 

STATUS ALARM HA

POWER

 

USB MGMT

USB

MGMT 2

2                        4                        6                        8

10                      12

14                      16                                   18                      20

22                      24                                   26                      28

30                      32

34                      36                      38                      40

 

 

 

 

Integrated Switch Fabric

 

 

 

 

FortiASIC NP6

FortiASIC NP6

 

 

 

 

Sys

System Bus

 

 

 

 

 

CP8

CPU

CP8

 

 

 

 

 

You can use the following get command to display the FortiGate-1500D NP6 configuration. The command output shows two NP6s named NP6_0 and NP6_1. The output also shows the interfaces (ports) connected to each NP6. You can also use the diagnose npu np6 port-list command to display this information.

 

get hardware npu np6 port-list

Chip   XAUI Ports            Max   Cross-chip

Speed offloading

—— —- ——-          —– ———- np6_0  0    port1            1G    Yes

0    port5            1G    Yes

0    port17           1G    Yes

0    port21           1G    Yes

0    port33           10G   Yes

1    port2            1G    Yes

1    port6            1G    Yes

1    port18           1G    Yes

1    port22           1G    Yes

 

 

 

 

1    port34           10G   Yes

2    port3            1G    Yes

2    port7            1G    Yes

2    port19           1G    Yes

2    port23           1G    Yes

2    port35           10G   Yes

3    port4            1G    Yes

3    port8            1G    Yes

3    port20           1G    Yes

3    port24           1G    Yes

3    port36           10G   Yes

—— —- ——-          —– ———- np6_1  0    port9            1G    Yes

0    port13           1G    Yes

0    port25           1G    Yes

0    port29           1G    Yes

0    port37           10G   Yes

1    port10           1G    Yes

1    port14           1G    Yes

1    port26           1G    Yes

1    port30           1G    Yes

1    port38           10G   Yes

2    port11           1G    Yes

2    port15           1G    Yes

2    port27           1G    Yes

2    port31           1G    Yes

2    port39           10G   Yes

3    port12           1G    Yes

3    port16           1G    Yes

3    port28           1G    Yes

3    port32           1G    Yes

3    port40           10G   Yes

—— —- ——-          —– ———-

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

FortiGate-1200D fast path architecture

The FortiGate-1200D features two NP6 processors both connected to an integrated switch fabric.
Eight SFP 1Gb interfaces (port1-port8), eight RJ-45 Ethernet ports (port17-24) and two SFP+ 10Gb interfaces
(port33 and port34) share connections to the first NP6 processor.
Eight SFP 1Gb interfaces (port9-port16), eight RJ-45 Ethernet ports (port25-32) and two SFP+ 10Gb interfaces
(port35-port36) share connections to the second NP6 processor.

CONSOLE

MGMT 1

1 3 5 7

9 11 13 15

17 19

10G SFP+
21 23 25 27 29 31 33 35
STATUS ALARM HA
POWER
USB MGMT USB

MGMT 2

2 4 6 8

10 12 14 16

18 20

22 24

26 28 30 32

34 36

Integrated Switch Fabric

FortiASIC NP6

FortiASIC NP6

Sy tem Bus

CP8

CPU

CP8

You can use the following get command to display the FortiGate-1200D NP6 configuration. The command output shows two NP6s named NP6_0 and NP6_1. The output also shows the interfaces (ports) connected to each NP6. You can also use the diagnose npu np6 port-list command to display this information.

get hardware npu np6 port-list
Chip XAUI Ports Max Cross-chip
Speed offloading
—— —- ——- —– ———- np6_0 0 port33 10G Yes
1 port34 10G Yes
2 port1 1G Yes
2 port3 1G Yes
2 port5 1G Yes
2 port7 1G Yes
2 port17 1G Yes
2 port19 1G Yes
2 port21 1G Yes
2 port23 1G Yes
3 port2 1G Yes
3 port4 1G Yes
3 port6 1G Yes
3 port8 1G Yes
3 port18 1G Yes
3 port20 1G Yes
3 port22 1G Yes
3 port24 1G Yes
—— —- ——- —– ———- np6_1 0 port35 10G Yes
1 port36 10G Yes
2 port9 1G Yes
2 port11 1G Yes
2 port13 1G Yes
2 port15 1G Yes
2 port25 1G Yes
2 port27 1G Yes
2 port29 1G Yes
2 port31 1G Yes
3 port10 1G Yes
3 port12 1G Yes
3 port14 1G Yes
3 port16 1G Yes
3 port26 1G Yes
3 port28 1G Yes
3 port30 1G Yes
3 port32 1G Yes
—— —- ——- —– ———-

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!