Skip to main content
Brent
Brent
New Member
November 27, 2017
Solved

Internet Connection Speed

  • November 27, 2017
  • 3 replies
  • 89232 views

Hi, 

 

First time poster here, so hopefully I got the most appropriate thread.

 

I have just purchased a Fortigate 600c firewall to route my home office network to the internet.  I have two ISPs and am on a 1Gb plan with both of them.

 

When I connect the basic routers that were provided from each ISP I get close to what is promised 900 Mb+.  However, when I run my connections through the Fortigate, I am only getting circa 500 Mb.  (As tested using Speedtest.net)

 

I previously had a Fortigate 200b, which gave me the same speeds, and while investigating I noted that the CPU of the fortigate was maxing out.  Actually, initially I was getting slower speeds but after turning off logging it increased to around the 500 mark.

 

I thought okay, the CPU isn't powerful enough to handle what I wanted, so I kept an eye out for a second hand later model when I found the 600c being sold locally.  Checking the specs on the 600c and seeing that it has 2.5 Gbps IPS I thought this would be powerful enough to give me closer to the 1 Gbps speeds.

 

Is there any way I can tweak the fortigate to get better performance, or does anyone have any ideas as to why I am not getting the speeds as advertised?

 

I'm running FortiOS 5.4, not using WAN LLB (as I require VPN).  Other than this the Fortigate is functioning as I require;

* Seperate Network for myself and my flatmates (I can't have them accessing the VPN to work)

* Traffic routed through specific ISP for specific tasks (Mail through one, other traffic through another)

* Reverse Proxy

 

Thanks

 

Brent

 

    Best answer by ede_pfau

    I would have checked first if this phenomenon is connected to the WAN port and/or protocols.

    Please run a performance test between 2 hosts on your LAN, both with GbE ports, AV disabled. I usually use iperf for this as the same exe-file contains the server and the client.

    You should see wirespeed here.

     

    If you don't there is a problem within FortiOS such as the traffic offloading to the network ASIC (NP) being disabled. Have you reset the unit after purchase to factory defaults ("exec factoryreset") before configuring it? Beware that this command will delete all of the config.

     

    If you do see wirespeed between LAN ports I would investigate the WAN protocol used. How do you connect to your IPS(s)? DHCP, PPPoE, static IP? There is a known gotcha with PPPoE processing in FortiOS. Cheap but dedicated WAN routers use a special chip to handle the protocol, FortiOS doesn't. It might well suck up the CPU performance if the WAN line speed is in excess of 100 Mbps for desktop models, higher speeds for multi-core FGTs like yours.

     

    The 600C itself is very capable, with decent memory size, content ASIC (CP) and network ASIC (NP) for offloading chores off the CPU. CPU will mostly handle session setup, negotiations (IPsec, SSLVPN, PPPoE, DHCP), logging and GUI. Plus some more but will usually stay out of the way of running session traffic. That's why you would expect wirespeed performance on GbE ports. IMHO the specs on the datasheet come quite close to realworld figures.

     

    Lastly, if you're running FOS v5.4 do update to the latest build (v5.4.6). Each patch version will fix some bugs and possibly improve throughput (while adding features which introduce more bugs...). For a used unit without contract this will be, hm, difficult but you may well ask FTNT for a contract. FortiCare will do (firmware updates, warranty extension) but of course FortiGuard would be more beneficial for you (AV, IPS, botnet IP blacklist, webfilter,...). If such contracts are no longer available from the regular price list you could ask FTNT for a 'coterm quote'.

     

    Happy testing!

    3 replies

    packetpusher
    packetpusher
    New Member
    November 28, 2017

    You can start with setting a baseline. 

     

    "Is there any way I can tweak the fortigate to get better performance, or does anyone have any ideas as to why I am not getting the speeds as advertised?"

    There is way, we just need to know what is the root cause for the described issue. For example, CPU & high memory utilization.

    Brent
    BrentAuthor
    New Member
    November 29, 2017

    Thanks for your reply.

     

    I'm not sure what you mean by setting a baseline.  I know what a baseline is, but I'm not sure how it applies here, can you give me more information about what you mean?

     

    Regarding the CPU and Memory utilization, I did forget to mention that once I switched to the 600c the memory and cpu utilization were not excessive.

     

    CPU Usage: 12%

    Memory Usage : 19 %

     

    packetpusher
    packetpusher
    New Member
    November 29, 2017

    I wanted to ask you to start recording the values of each test and the corresponding CPU and Memory utilization. 

    FransUrbo
    FransUrbo
    New Member
    February 12, 2018

    There's very little discussion on the few "speed" issues in the forum... :(

     

    I'm having the same problem. I have a FortiGate 50E which is also supposed to have 2.5Gbps but on my 1Gbps fiber broadband from Hyperoptic, I'm getting 356Mbps down and 110Mbps up (on copper).

     

    The router provided by Hyperoptic could manage 400Gbps on the builtin WiFi.

     

    So the question is: What is that cheap piece of c**p they provided me with doing so much better than a FortiGate??

    pireality
    pireality
    New Member
    August 2, 2018

    Nobody replied to "how to set this in the gui?".  I did some testing and it looks like with the DF bit set, my default gateway responds @ 1472.  I could also set mtu via CLI, but gui will be easier for noobs.

    pireality
    pireality
    New Member
    August 2, 2018

    Oh yeah, CLI is like this:

    config system interface

    edit <interface_name>

    set mtu-override enable

    set mtu <byte_size>

    end

     

    pireality
    pireality
    New Member
    August 2, 2018

    So I found that my ISP "likes" packets sized @ 1472, however, that hasn't changed my laggy speeds or bufferbloat.  Any other suggestions?  I too have tried my other router(s) and CPU/utilization on the fortigate look healthy during testing.

     

    Terms & ConditionsAccessibility statement