Description
This article describes how to use the diag traffictest command for the following purposes:
- Loopback testing.
- TCP/UDP traffic testing.
External resources:
Scope
Any supported version of FortiGate.
Solution
The FortiGate firewall has a built-in iPerf3 client and a limited embedded iPerf3 server.
- Perform loopback testing between two different FortiGate ports:
A loopback test is a simple method to determine whether the communication of circuits is functioning at a basic interface level.
It is used to determine whether transmitted signals return to the sender.
It can also be used between two ports that are in two different VDOMs and verify the connectivity at the hardware level.
diag traffictest server-intf port2 <- Define a FortiGate interface.
diag traffictest client-intf port1 <- Define a FortiGate interface.
diag traffictest run <- Run iPerf3.
The output should be similar to:
diag traffictest run
Connecting to host 10.109.19.237, port 162
[ 14] local 10.139.3.237 port 13398 connected to 10.109.19.237 port 162
[ ID] Interval Transfer Bandwidth Retr Cwnd
[ 14] 0.00-1.00 sec 648 MBytes 5.43 Gbits/sec 0 576 KBytes
[ 14] 1.00-2.00 sec 659 MBytes 5.53 Gbits/sec 0 576 KBytes
[ 14] 2.00-3.00 sec 660 MBytes 5.54 Gbits/sec 0 576 KBytes
[ 14] 3.00-4.00 sec 664 MBytes 5.58 Gbits/sec 0 576 KBytes
[ 14] 4.00-5.00 sec 662 MBytes 5.56 Gbits/sec 0 576 KBytes
[ 14] 5.00-6.00 sec 655 MBytes 5.49 Gbits/sec 0 576 KBytes
[ 14] 6.00-7.00 sec 1.11 GBytes 9.53 Gbits/sec 0 576 KBytes
[ 14] 7.00-8.00 sec 1.24 GBytes 10.7 Gbits/sec 0 576 KBytes
[ 14] 8.00-9.00 sec 1.23 GBytes 10.5 Gbits/sec 0 576 KBytes
[ 14] 9.00-10.00 sec 1.21 GBytes 10.4 Gbits/sec 0 576 KBytes
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval Transfer Bandwidth Retr
[ 14] 0.00-10.00 sec 8.64 GBytes 7.42 Gbits/sec 0 sender
[ 14] 0.00-10.00 sec 8.64 GBytes 7.42 Gbits/sec receiver
iperf Done.
iperf3: interrupt - the server has terminated
Note:
The iPerf3 server on the FortiGate cannot be used as a full-featured iPerf3 server.
It can be used only for the interface tests between FortiGate ports or as a client towards a server.
The test between ports, as shown above, will test only the basic function of the interface and it does not send any actual traffic/data between them.
Thus, it will not provide the actual bandwidth metrics.
In the multi-VDOM environment, run the test at the global level.
Example:
FGT # config global
FGT (global) # diag traffictest run
Or
FGT (root) # sudo global diag traffictest run
- TCP/UDP traffic test against an iPerf server.
Iperf server can be public or set up a private one. FortiGate is acting as an iPerf3 client in this scenario.
Assuming port1 is the WAN interface:
To test bandwidth between FortiGate's port1 and iPerf3 server (the main IPerf3 server resolves to 45.154.168.155 and listens on port 5200-5209), follow these
Steps:
To use FortiGate to send to another iPerf3 server, the user needs to set the traffic test client and server to use the same port.
diag traffictest client-intf port1 <- Define a FortiGate interface.
diag traffictest server-intf port1 <- Define a FortiGate interface.
diag traffictest port 5209 <- Define the iPerf3 port running on the iPerf3 server.
diag traffictest run -c 45.154.168.155 <- Run iPerf3 against the public 45.154.168.155 iPerf3 server.
The output should be similar to:
diag traffictest client-intf port1
client-intf: port1
diag traffictest server-intf port1
server-intf: port1
diag traffictest port 5209
port: 5209
diag traffictest run -c 45.154.168.155
[ 14] local 10.109.19.237 port 5201 connected to 45.154.168.155 port 5209
[ ID] Interval Transfer Bandwidth Retr Cwnd
[ 14] 0.00-1.01 sec 1.78 MBytes 14.8 Mbits/sec 2 198 KBytes
[ 14] 1.01-2.01 sec 3.56 MBytes 29.9 Mbits/sec 37 256 KBytes
[ 14] 2.01-3.01 sec 6.01 MBytes 50.4 Mbits/sec 0 304 KBytes
[ 14] 3.01-4.01 sec 6.73 MBytes 56.6 Mbits/sec 0 335 KBytes
[ 14] 4.01-5.01 sec 6.73 MBytes 56.4 Mbits/sec 0 354 KBytes
[ 14] 5.01-6.01 sec 6.78 MBytes 56.9 Mbits/sec 0 354 KBytes
[ 14] 6.01-7.01 sec 6.65 MBytes 55.8 Mbits/sec 0 363 KBytes
[ 14] 7.01-8.01 sec 6.77 MBytes 56.8 Mbits/sec 0 363 KBytes
[ 14] 8.01-9.01 sec 4.58 MBytes 38.4 Mbits/sec 5 187 KBytes
[ 14] 9.01-10.00 sec 6.07 MBytes 51.1 Mbits/sec 0 301 KBytes
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval Transfer Bandwidth Retr
[ 14] 0.00-10.00 sec 55.7 MBytes 46.7 Mbits/sec 44 sender
[ 14] 0.00-10.00 sec 55.5 MBytes 46.6 Mbits/sec receiver
iperf Done.
iperf3: interrupt - the server has terminated
UDP test:
By default, FortiGate will test TCP. It is possible to run UDP with -u.
diagnose traffictest run -c 45.154.168.155 -u
Connecting to host 45.154.168.155, port 5209
[ 9] local 178.17.233.36 port 11998 connected to 62.210.18.40 port 5209
[ ID] Interval Transfer Bandwidth Total Datagrams
[ 9] 0.00-1.01 sec 120 KBytes 976 Kbits/sec 15
[ 9] 1.01-2.01 sec 128 KBytes 1.05 Mbits/sec 16
[ 9] 2.01-3.01 sec 128 KBytes 1.05 Mbits/sec 16
[ 9] 3.01-4.01 sec 128 KBytes 1.05 Mbits/sec 16
[ 9] 4.01-5.01 sec 128 KBytes 1.05 Mbits/sec 16
[ 9] 5.01-6.01 sec 128 KBytes 1.05 Mbits/sec 16
[ 9] 6.01-7.01 sec 128 KBytes 1.05 Mbits/sec 16
[ 9] 7.01-8.01 sec 128 KBytes 1.05 Mbits/sec 16
[ 9] 8.01-9.01 sec 128 KBytes 1.05 Mbits/sec 16
[ 9] 9.01-10.01 sec 128 KBytes 1.05 Mbits/sec 16
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval Transfer Bandwidth Jitter Lost/Total Datagrams
[ 9] 0.00-10.01 sec 1.24 MBytes 1.04 Mbits/sec 0.074 ms 0/159 (0%)
[ 9] Sent 159 datagrams
iperf Done.
iperf3: interrupt - the server has terminated.
If the speed test is performed with a UDP protocol (parameter '-u'), it is recommended to change the bandwidth as the default is 1Mbps (for TCP protocol, the bandwidth is unlimited).
If it is not changed, the throughput result for the UDP speed test will be limited to 1Mbps.
This value can be modified with parameter '-b' as shown in the example below:
diagnose traffictest run -c <iperf_server_IP> -u -b 5G <- Bandwidth set to 5Gbit/s.
To get more realistic results, use parallel streams with the following command (in this example, 10 parallel streams are used):
diag traffictest run -R -c 45.154.168.155 -P 10
By default, iPerf sends the data to the remote host. In this case, it was tested in uploading for the FortiGate. To generate traffic in the opposite direction, use the -R option.
diag traffictest run -R -c 45.154.168.155
When FortiGate is acting as an IPerf client (as shown above) and connecting to an actual iPerf server, it sends the packets to gather the upload and download speed.
However, this test would not be precise due to the various overheads involved with iPerf. It would provide approximate values.
iPerf functionality is limited on the FortiGate.
To test the actual throughput and set up the upload and download speed baseline, an external server and client are required to test the throughput with FortiGate in between.
Moreover, in a dual WAN scenario, FortiGate always sends the traffic through the best route and its outgoing interface in the routing table.
Possible options of the iPerf3 client supported on the FortiGate can be observed via this command:
diag traffictest run -h
Note:
The iPerf/iPerf3 servers are external services and are not operated or endorsed by Fortinet.
