FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Biraman
Staff
Staff
Article Id 306488
Description This article describes a known issue where network throughput decreases substantially when passing through the FortiGate 200F, 400F, or 600F models. The issue most frequently occurs when traffic passes from a higher-speed interface to a slower-speed interface (i.e. 10Gb to 1Gb), but the issue has also been known to occur in 1Gb to 1Gb scenarios.
Scope

FortiGate-200F/201F, 400F/401F, 600F/601F.

Solution

The permanent fix is to Upgrade the FortiOS to 7.2.8 or 7.4.4.

However, for 400F/401F/600F/601F units, the following workaround can be used if upgrading is not an option.

 

For 200F/201F These commands are only available from 7.2.8/7.4.2 or above, So those devices will not be able to implement a workaround.

 

diag sys mvl cli

    configure

        interface range ethernet 0/4-31

        tail-drop packet-limit 4095 buffer-limit 65535 alpha 0.0

        tail-drop-queue queue all dp all packet-limit 512 buffer-limit 4096 alpha 0.0

end

    CLIexit       <----- To exit Marvell CLI.

 

This issue is reported as a Known issue of 910829 (LAN to WAN poor throughput) and 965482 (SSL VPN throughput issue).

This workaround is not persistent between reboots, nor is it synchronized between HA FortiGates (i.e. the command must be applied on a per-device basis and executed again after reboot).

The workaround is safe to run during production, as it simply increases the upper-limit for the amount of shared buffer that each switch port may use. There is also no disruption to existing traffic when the commands are run.