FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
apoojary
Staff
Staff
Article Id 341499
Description

 

This article describes how to troubleshoot slowness issue related to drops on FortiGate firewall with np6 models without IS.

 

Scope

 

Only NP6 models without ISF are affected by this.

 

Solution

 

If there is slowness observed for Traffic going from 10G to 1G link and in sniffer, observed retransmission and those dropped packets sequence numbers are seen to be sent out of FortiGate and even if there are no drops in NPU by running the command 'diagnose npu np6 dce' but anyhow it is confirmed that FortiGate is dropping packets (either by span capture on the switch or other ways).

 

Check incoming and outgoing interface speed and its mapping to NPU by running the below command.

 

diagnose hardware deviceinfo nic <portno>

diagnose npu np6 port-list

 

And refer to the fast path architecture and check if there is ISF present over those ports. If not, then run the below commands:

 

diagnose npu np6 gmac-stats 0 <----- For 1G link.

diagnose npu np6 xgmac-stats 0 <----- For 10G link.

 

If finding the TX_XPX_QFULL counter is incrementing, it means the buffer is getting full due to burst traffic and dropping packets.

 

This is the hardware limitation. 

The only solution is to go for np7 models or np6 models which have ISF or use a 10G to 10G link.

 

Workaround.

 

To mitigate this issue the below change can be performed:

 

config system npu

    set host-shortcut-mode host-shortcut

end

 

Related document:

Optionally disable NP6 offloading of traffic passing between 10Gbps and 1Gbps interfaces