Fortinet FortiGate FortiGate-ASM-FB4 Technical Note
  1. Manuals
  2. Brands
  3. Fortinet Manuals
  4. Network Hardware
  5. FortiGate FortiGate-ASM-FB4
  6. Technical note
Fortinet FortiGate FortiGate-ASM-FB4 Technical Note

Fortinet FortiGate FortiGate-ASM-FB4 Technical Note

Version 1.0
Hide thumbs Also See for FortiGate FortiGate-ASM-FB4:
Table of Contents

Advertisement

Quick Links

Download this manual
T E C H N I C A L N O T E
FortiGate-ASM-FB4
Version 1.0
www.fortinet.com

Advertisement

Table of Contents
loading

Related Manuals for Fortinet FortiGate FortiGate-ASM-FB4

Summary of Contents for Fortinet FortiGate FortiGate-ASM-FB4

  • Page 1 T E C H N I C A L N O T E FortiGate-ASM-FB4 Version 1.0 www.fortinet.com...
  • Page 2 Version 1.0 2 October 2007 01-30005-0424-20071002 © Copyright 2007 Fortinet, Inc. All rights reserved. No part of this publication including text, examples, diagrams or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical or otherwise, for any purpose, without prior written permission of Fortinet, Inc.

  • Page 3: Table Of Contents

    Introduction ... 5 About the FortiGate-ASM-FB4... 5 About this document... 5 Fortinet documentation ... 6 Fortinet Tools and Documentation CD ... 6 Fortinet Knowledge Center ... 6 Comments on Fortinet technical documentation ... 6 Customer service and technical support ... 6 FortiGate-ASM-FB4 accelerated network processing ...
  • Page 4 Contents FortiGate-ASM-FB4 Version 1.0 Technical Note 01-30005-0424-20071002...

  • Page 5: Introduction

    This chapter introduces you to the FortiGate-ASM-FB4 and the following topics: • About the FortiGate-ASM-FB4 • About this document • Fortinet documentation • Customer service and technical support About the FortiGate-ASM-FB4 When installed in a compatible FortiGate unit’s AMC (Advanced Mezzanine Card) slot, FortiGate-ASM-FB4 modules provide additional hardware accelerated network processing for certain eligible traffic types passing through their SFP (small form-factor pluggable) network interfaces.

  • Page 6: Fortinet Documentation

    All Fortinet documentation is available on the Fortinet Tools and Documentation CD shipped with your Fortinet product. The documents on this CD are current at shipping time. For up-to-date versions of Fortinet documentation, see the Fortinet Technical Documentation web site at http://docs.forticare.com.

  • Page 7: Fortigate-Asm-Fb4 Accelerated Network Processing

    FortiGate-ASM-FB4 accelerated network processing FortiGate-ASM-FB4 accelerated network processing FortiGate units can offload some types of network traffic processing from main processing resources to a FortiGate-ASM-FB4 module, which contains specialized network processing hardware. If your network contains a significant volume of traffic that is suitable for offloading, FortiGate-ASM-FB4 module hardware acceleration can significantly improve your network throughput.

  • Page 8: Offloading Requirements

    Offloading requirements Offloading requirements Some traffic processing can still be hardware accelerated, even though it does not meet general offloading requirements. For example, some IPSec traffic originates from the FortiGate unit itself and does not follow the offloading requirement of ingress from a FortiGate-ASM-FB4 module network interface, but FortiGate units can still utilize FortiGate-ASM-FB4 module encryption capabilities.

  • Page 9: Exceptions To Offloading Requirements

    FortiGate-ASM-FB4 accelerated network processing • Outgoing packets must not require fragmentation to a size less than 385 bytes. Because of this requirement, the configured MTU for the FortiGate-ASM-FB4 module’s network interfaces must also meet or exceed the FortiGate-ASM- FB4-supported minimum MTU of 385 bytes. If packet requirements are not met, an individual packet will use FortiGate unit main processing resources, regardless of whether other packets in the session are offloaded to the FortiGate-ASM-FB4 module.

  • Page 10: Ha Active-Active Offloading Requirements

    Exceptions to offloading requirements HA active-active offloading requirements To apply hardware accelerated encryption and decryption, the FortiGate unit must first perform Phase 1 negotiations to establish the security association (SA). The SA includes cryptographic processing instructions required by the FortiGate-ASM- FB4 module, such as which encryption algorithms must be applied to the tunnel.

  • Page 11: Fortigate-Asm-Fb4 Hardware

    FortiGate-ASM-FB4 hardware FortiGate-ASM-FB4 hardware The FortiGate-ASM-FB4 module is an AMC (Advanced Mezzanine Card) which can be installed in a FortiGate-3600A, FortiGate-3810B or FortiGate-3016B unit’s single width AMC slot. To complete assembly, SFP transceivers must also be inserted into the FortiGate-ASM-FB4 module’s four SFP cages. Caution: FortiGate-ASM-FB4 modules must be protected from static discharge and physical shock.

  • Page 12: To Remove A Fortigate-Asm-Fb4 Module

    The default value is serdes. SerDes SFP transceivers support only the fixed speed of 1Gbps; SGMII supports tri-speed mode (10/100/1000 Mbps). Because forcing speed could result in link failure and disrupted service, Fortinet recommends enabling link speed auto- negotiation. config system interface...

  • Page 13: Specialized Cli Settings

    Specialized CLI settings Specialized CLI settings Installing a FortiGate-ASM-FB4 module causes its network interfaces to appear in the web-based manager. Using the web-based manager, you can configure each FortiGate-ASM-FB4 module network interface as you would configure other network interfaces. Installation also causes some specialized network configuration and NPU (network processing unit) settings to appear in the CLI.
  • Page 14 config system interface Variables Description Select the media type of the transceiver. mediatype {serdes | sgmii} By configuring this option, enable hardware fp-anomaly anomaly checking, and list whether to drop or {drop_icmpland | allow (pass) specific anomaly types. pass_icmpland} • drop_icmpland: Drop ICMP land.

  • Page 15: Example

    Specialized CLI settings Example You might configure the media type for an SGMII transceiver, and hardware accelerate dropping packets with TCP WinNuke or unknown IP protocol anomalies, but to pass packets with an IP time stamp. config system interface config system npu Network processing unit (npu, the FortiGate-ASM-FB4 module) settings appear when a FortiGate-ASM-FB4 module is installed.

  • Page 16: Example

    config system npu Example You could configure the traffic shaping limit to be applied as a bidirectional total limit during hardware accelerated sessions. config system npu set traffic-shaping-mode bidirection Specialized CLI settings FortiGate-ASM-FB4 Version 1.0 Technical Note 01-30005-0424-20071002...

  • Page 17: Examples

    Examples Examples Hardware accelerated IPSec processing, involving either partial or full offloading, can be achieved in either tunnel or interface mode IPSec configurations. To achieve offloading for both encryption and decryption: • In Phase 1 configuration’s Advanced section, Local Gateway IP must be specified as an IP address of the FortiGate-ASM-FB4 module’s SFP network interfaces.

  • Page 18: Accelerated Tunnel Mode Ipsec

    Configure one policy to apply the Phase 1 IPSec tunnel you configured in step traffic between FortiGate-ASM-FB4 module ports 1 and 2. Go to Router > Static. Configure a static route to route traffic destined for FortiGate_2’s protected network to VPN IP address of FortiGate_2’s VPN gateway, 3.3.3.2, through the FortiGate-ASM-FB4 module’s port 2 (device).

  • Page 19: Accelerated Interface Mode Ipsec

    Configure one policy to apply the Phase 1 IPSec tunnel you configured in step to traffic between FortiGate-ASM-FB4 module ports 1 and 2. Go to Router > Static. Configure a static route to route traffic destined for FortiGate_1’s protected network to VPN IP address of FortiGate_1’s VPN gateway, 3.3.3.1, through the FortiGate-ASM-FB4 module’s port 2 (device).
  • Page 20 Configure two policies (one for each direction) to apply the Phase 1 IPSec configuration you configured in step FortiGate-ASM-FB4 module port 1. Go to Router > Static. Configure a static route to route traffic destined for FortiGate_2’s protected network to the Phase 1 IPSec device, FGT_1_IPsec.

  • Page 21: Index

    8 FortiASIC 5 FortiGate-ASM-FB4 Version 1.0 Technical Note 01-30005-0424-20071002 FortiGate documentation commenting on 6 Fortinet documentation 6 Fortinet Knowledge Center 6 fragmented packets 8 FTP 5, 9 high availability (HA) 10 active-active 5, 9 load balancing 9 hot swapping 11 ICMP land 14 IEEE 802.1q 8...
  • Page 22 performance 5 topology 17 network processing unit (NPU) 13, 15 P2 Proposal 17 P2P 5 packet forwarding rate 17 processing flow 7 small 5 pass anomaly 14 Phase 1 10, 17, 18, 19, 20 Phase 2 9, 15, 17, 18, 19, 20 policy 8 primary unit 10 QoS 16...
  • Page 23 www.fortinet.com...
  • Page 24 www.fortinet.com...

Table of Contents