Skip to main content
tanr
tanr
New Member
November 14, 2017
Question

Thoughts on 10GbE without SFP+ FortiGate

  • November 14, 2017
  • 1 reply
  • 12231 views

Interested in peoples' opinions and suggestions on this.

 

I’ve added a few 10GbE links to our office setup, mostly for fast NAS access, and will soon move some of our nodes to 10GbE as well.  Right now these are all directly connected with copper RJ45 10GBASE-T (hosts with Intel X550-T), but adding the nodes will require a 10GbE switch.  As will the vmware platform we're considering for next year or the year after.

 

I would like to have a FortiGate in between some of these new 10GbE hosts, mostly for IPS and some AV.  Note that I DON'T need 10GbE to the wan.

 

The "cheapest" FortiGate with a few SFP+ ports is the 500E, which is way more than we need.  We won't have a vmware platform to run a VM FortiGate using the platform's 10GbE nics till much later, so that isn't really an option.

 

I'm considering a 100D, 140E, or 200E with a couple big 802.3ad link aggregate interfaces (8x or more physical interfaces each) to give me close to 10GbE to the 10GbE switch.  I can run some tests on a current 100D to check feasibility of this. But it's hard to know how much IPS or AV throughput I'll actually get for these cases.  For example, the 200E spec sheet lists 1.8Gbps NGFW Throughput, but how does that translate to an 802.3ad aggregate of 8 interfaces?  Would be nice if the answer was 8 x 1.8Gbps but that seems unlikely.

 

Any thoughts on this?  Reasons this should or shouldn't work?  A better/easier way?

 

Thanks.

    1 reply

    emnoc
    emnoc
    New Member
    November 14, 2017

    Where do I start ;)

     

    1: let go with  this

     

    I'm considering a 100D, 140E, or 200E with a couple big 802.3ad link aggregate interfaces (8x or more physical interfaces each) to give me close to 10GbE to the 10GbE switch.

     

    Price per port get's extreme high in this model if you  compare it to a 10gige appliance to begin , worst if you add HA ( a 2nd  cluster  node)

     

    e.g

     

    how much does  8x 1GIGE port cost vrs the  max thru-put? over one  model that has a 10gige SFP+ to begin with?

     

     

    2: Using a 100D/140E/200E are still considered branch series  models with limited  process. A FGT100D/140D has no NP4 and the 200E I believe also has no great hardware acceleration. Heck I have most of  these in my lab.

     

    3:  next, I doubt yo could even link AG 8x or more ports on the 100D/140D model to begin with,  nor would you  gain anything  but a lot  of ports bundle and waste.

     

    Next ,

     

    The "cheapest" FortiGate with a few SFP+ ports is the 500E, which is way more than we need.  We won't have a vmware platform to run a VM FortiGate using the platform's 10GbE nics till much later, so that isn't really an option.

     

     

    What are you wanting? 1GIGE or 10GIGE interfaces? What your technical requirements? yes it has  10gige interface but it bound to the same  NP6

     

     

    You should answer those questions  1st and then design and then look at what it  cost to get to your dsesign. You mention IPS/AV ,  but do you now the bottom number of what these  unit offer with regards to IPS/AV?

     

    Using  my quick  calculations of FTNT numbers,  which are under-best-conditions

     

    100D  no 10gige no NP or better.... really not alot to say except they are reliable branch devices

     

    140D no 10gige  no NP or better, shared SFP ports , limited number of 1gige copper ports, lower thruput than a 200E, and a lot more ports than a 100D ...again a reliable branch   friewall imho.

     

    200E  no 10Gige, Np6lite, no cross-NP LAGs,  2.2 gbps ips ( AV thru-putt..... no real numbers could  found , but probably  less than IPS thru-put NPlite technology okay but nothing to write home about,etc....),

     

    500E way-much more the earlier listed model, it has 10GIGE interfaces but one single NP6, traffic flow might not stay fast-path so  ????s on what  real expect thru-put  estimation? What  can you get over a single  tengige interface in/out and  few 1GIGE interfaces?

     

     

    I would drive my selection on hardware & around what are your business-objectives, and then gather the devices you need. Make  adjustment if you can't meet the objects and know what the PRO/CON are.

     

    From what you mention, I would get out of the branch-lowenterprise models,  and would look at  1000-1500D or even higher.

     

    Here's why

     

     

    These models has more than 1NP

    possible switch connection-fabric

    more ports

    higher thruput ( raw fw, IPS, AV,etc...)

    These don't have Np6lites processor , and the limited thru-put that it provides

     

     

    They do cost more ( no shock ), but it would money better spent than to buy  yugo and how it works in your favor.

     

    ;)

     

    Ken

     

     

    tanr
    tanrAuthor
    New Member
    November 14, 2017

    Thanks for your thoughts on this Ken.  

     

    I wish we could put in a 1500DT or 1200D!  But the budget just isn't there, especially with the maintenance costs.  Might be able to get a 300E, 500E or 600D next year.

     

    Note that this is all internal segmentation, just to protect the 10GbE NAS(es) this year and to be ready to protect next year's vmware platform.  There will be very few hosts accessing them (never more than 8) over 10GbE.  Some additional hosts will be accessing them over 1GbE.  Wan access is through a 300D.

     

    You mentioned that the 200E with an NP6lite has no cross-NP LAG.  But I thought both the NP6 and the NP6lite could work with LAGs, per http://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-hardware-acceleration-52/NP6.htm#Increasi or did I misunderstand?  The documentation seems to imply I can use the NP6/NP6lite to treat a LAG as a larger bandwidth interface.

     

    I can do some initial testing with the 100D to see how (badly) it performs with a couple 4x LAGs. 

    If the 100D LAG perf really sucks I'll run some similar tests with our 300D to see how a single NP6 does.

    That should give me enough info to decide if I want to test POC on a 300E, 500E, or 600D.

    emnoc
    emnoc
    New Member
    November 14, 2017

    Let me clarify

     

    You mentioned that the 200E with an NP6lite has no cross-NP LAG.  But I thought both the NP6 and the NP6lite could work with LAGs, per http://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-hardware-acceleration-52/NP6.htm#Increasi or did I misunderstand?  The documentation seems to imply I can use the NP6/NP6lite to treat a LAG as a larger bandwidth interface.

     

     

    Np6 lite should do lag you just can't bound two interface across two-NPs and also keep in mind the NP6lite is a 10gbps  process . This is a big negative for me in  mmy environment.

     

     

    Next, I've seem  traffic flows that are not 100% fast-path. Typically things with AV/IPS/GRE/IPSEC could  never be fast-path ( diag sys session will show this )

     

    So it's just not  the NP4/NP6 you have, or  a internal-switch-fabric or size of the hardware. The 1xxx models or higher have ovevrall better  designs and thru-puts numbers.

     

    Sometime you have to bite the bullet and spend the capital. I would hate to see you  "just throw" hardware in due to $$$$.$$ and then have a bigger  mess at the end.

     

     

    About the NAS, do you really need  the NAS traffic  going thru a firewall? Can you build a different topology ?

     

    Ken

    Terms & ConditionsAccessibility statement