FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ppatel
Staff
Staff
Article Id 197784

Description


This article describes how to use the diag traffictest command for the following purposes:

  • Loopback testing.
  • TCP/UDP traffic testing.


External resources:

 

Scope

 

Any supported version of FortiGate.


Solution


The FortiGate firewall has a built-in iPerf3 client and a limited embedded iPerf3 server.

 

  1. Perform loopback testing between two different FortiGate ports:

 

A loopback test is a simple method to determine whether the communication of circuits is functioning at a basic interface level.

It is used to determine whether transmitted signals return to the sender.

 

It can also be used between two ports that are in two different VDOMs and verify the connectivity at the hardware level.

 

diag traffictest server-intf port2        <- Define a FortiGate interface.
diag traffictest client-intf port1        <- Define a FortiGate interface.
diag traffictest run                      <- Run iPerf3.

 

The output should be similar to:

 

diag traffictest run
Connecting to host 10.109.19.237, port 162
[ 14] local 10.139.3.237 port 13398 connected to 10.109.19.237 port 162
[ ID] Interval           Transfer     Bandwidth       Retr  Cwnd
[ 14]   0.00-1.00   sec   648 MBytes  5.43 Gbits/sec    0    576 KBytes
[ 14]   1.00-2.00   sec   659 MBytes  5.53 Gbits/sec    0    576 KBytes
[ 14]   2.00-3.00   sec   660 MBytes  5.54 Gbits/sec    0    576 KBytes
[ 14]   3.00-4.00   sec   664 MBytes  5.58 Gbits/sec    0    576 KBytes
[ 14]   4.00-5.00   sec   662 MBytes  5.56 Gbits/sec    0    576 KBytes
[ 14]   5.00-6.00   sec   655 MBytes  5.49 Gbits/sec    0    576 KBytes
[ 14]   6.00-7.00   sec  1.11 GBytes  9.53 Gbits/sec    0    576 KBytes
[ 14]   7.00-8.00   sec  1.24 GBytes  10.7 Gbits/sec    0    576 KBytes
[ 14]   8.00-9.00   sec  1.23 GBytes  10.5 Gbits/sec    0    576 KBytes
[ 14]   9.00-10.00  sec  1.21 GBytes  10.4 Gbits/sec    0    576 KBytes
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bandwidth       Retr
[ 14]   0.00-10.00  sec  8.64 GBytes  7.42 Gbits/sec    0             sender
[ 14]   0.00-10.00  sec  8.64 GBytes  7.42 Gbits/sec                  receiver

iperf Done.
iperf3: interrupt - the server has terminated

 

Note:

The iPerf3 server on the FortiGate cannot be used as a full-featured iPerf3 server.

It can be used only for the interface tests between FortiGate ports or as a client towards a server.

 

The test between ports, as shown above, will test only the basic function of the interface and it does not send any actual traffic/data between them.

Thus, it will not provide the actual bandwidth metrics.

 

In the multi-VDOM environment, run the test at the global level.

 

Example:

 

FGT # config global
FGT (global) # diag traffictest run

 

Or

 

FGT (root) # sudo global diag traffictest run

 

  1. TCP/UDP traffic test against an iPerf server.

 

Iperf server can be public or set up a private one. FortiGate is acting as an iPerf3 client in this scenario.


Assuming port1 is the WAN interface:

To test bandwidth between FortiGate's port1 and iPerf3 server (the main IPerf3 server resolves to 45.154.168.155 and listens on port 5200-5209), follow these

 

Steps:
To use FortiGate to send to another iPerf3 server, the user needs to set the traffic test client and server to use the same port.

 

diag traffictest client-intf port1        <- Define a FortiGate interface.
diag traffictest server-intf port1        <- Define a FortiGate interface.
diag traffictest port 5209                <- Define the iPerf3 port running on the iPerf3 server.
diag traffictest run -c 45.154.168.155    <- Run iPerf3 against the public 45.154.168.155 iPerf3 server.

 

The output should be similar to:

 

diag traffictest client-intf port1
client-intf:    port1
diag traffictest server-intf port1
server-intf:    port1
diag traffictest port 5209
port:   5209


diag traffictest run -c 45.154.168.155

 

[ 14] local 10.109.19.237 port 5201 connected to 45.154.168.155 port 5209
[ ID] Interval           Transfer     Bandwidth       Retr  Cwnd
[ 14]   0.00-1.01   sec  1.78 MBytes  14.8 Mbits/sec    2    198 KBytes
[ 14]   1.01-2.01   sec  3.56 MBytes  29.9 Mbits/sec   37    256 KBytes
[ 14]   2.01-3.01   sec  6.01 MBytes  50.4 Mbits/sec    0    304 KBytes
[ 14]   3.01-4.01   sec  6.73 MBytes  56.6 Mbits/sec    0    335 KBytes
[ 14]   4.01-5.01   sec  6.73 MBytes  56.4 Mbits/sec    0    354 KBytes
[ 14]   5.01-6.01   sec  6.78 MBytes  56.9 Mbits/sec    0    354 KBytes
[ 14]   6.01-7.01   sec  6.65 MBytes  55.8 Mbits/sec    0    363 KBytes
[ 14]   7.01-8.01   sec  6.77 MBytes  56.8 Mbits/sec    0    363 KBytes
[ 14]   8.01-9.01   sec  4.58 MBytes  38.4 Mbits/sec    5    187 KBytes
[ 14]   9.01-10.00  sec  6.07 MBytes  51.1 Mbits/sec    0    301 KBytes
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bandwidth       Retr
[ 14]   0.00-10.00  sec  55.7 MBytes  46.7 Mbits/sec   44             sender
[ 14]   0.00-10.00  sec  55.5 MBytes  46.6 Mbits/sec                  receiver

iperf Done.
iperf3: interrupt - the server has terminated

 

UDP test:

 

By default, FortiGate will test TCP. It is possible to run UDP with -u.

 

diagnose traffictest run -c 45.154.168.155 -u


Connecting to host 45.154.168.155, port 5209
[  9] local 178.17.233.36 port 11998 connected to 62.210.18.40 port 5209
[ ID] Interval           Transfer     Bandwidth       Total Datagrams
[  9]   0.00-1.01   sec   120 KBytes   976 Kbits/sec  15
[  9]   1.01-2.01   sec   128 KBytes  1.05 Mbits/sec  16
[  9]   2.01-3.01   sec   128 KBytes  1.05 Mbits/sec  16
[  9]   3.01-4.01   sec   128 KBytes  1.05 Mbits/sec  16
[  9]   4.01-5.01   sec   128 KBytes  1.05 Mbits/sec  16
[  9]   5.01-6.01   sec   128 KBytes  1.05 Mbits/sec  16
[  9]   6.01-7.01   sec   128 KBytes  1.05 Mbits/sec  16
[  9]   7.01-8.01   sec   128 KBytes  1.05 Mbits/sec  16
[  9]   8.01-9.01   sec   128 KBytes  1.05 Mbits/sec  16
[  9]   9.01-10.01  sec   128 KBytes  1.05 Mbits/sec  16
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bandwidth       Jitter    Lost/Total Datagrams
[  9]   0.00-10.01  sec  1.24 MBytes  1.04 Mbits/sec  0.074 ms  0/159 (0%)
[  9] Sent 159 datagrams

iperf Done.
iperf3: interrupt - the server has terminated.

 

If the speed test is performed with a UDP protocol (parameter '-u'), it is recommended to change the bandwidth as the default is 1Mbps (for TCP protocol, the bandwidth is unlimited).

If it is not changed, the throughput result for the UDP speed test will be limited to 1Mbps.

 

This value can be modified with parameter '-b' as shown in the example below:

 

diagnose traffictest run -c <iperf_server_IP> -u -b 5G <- Bandwidth set to 5Gbit/s.

 

To get more realistic results, use parallel streams with the following command (in this example, 10 parallel streams are used):

 

   diag traffictest run -R -c 45.154.168.155 -P 10

 

By default, iPerf sends the data to the remote host. In this case, it was tested in uploading for the FortiGate. To generate traffic in the opposite direction, use the -R option.

 

diag traffictest run -R -c 45.154.168.155

 

When FortiGate is acting as an IPerf client (as shown above) and connecting to an actual iPerf server, it sends the packets to gather the upload and download speed.

However, this test would not be precise due to the various overheads involved with iPerf. It would provide approximate values.

iPerf functionality is limited on the FortiGate.

 

To test the actual throughput and set up the upload and download speed baseline, an external server and client are required to test the throughput with FortiGate in between.

Moreover, in a dual WAN scenario, FortiGate always sends the traffic through the best route and its outgoing interface in the routing table.

 

Possible options of the iPerf3 client supported on the FortiGate can be observed via this command:

 

diag traffictest run -h

 

Note:

The iPerf/iPerf3 servers are external services and are not operated or endorsed by Fortinet.