Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
dan
New Contributor III

Fortigate 40F slow download - how to fix?

My download speed is 1GBit/s from the provider UPC here in Switzerland.

 

A PC (paviPC) attached to the providers connect box (CB, a DOCSIS router) gets about 900MBit/s.

This is what I am looking for.

(paviPC <-- CB/p4-CB/cable <-- cnlab speed test server)

 

I got a Fortigate 40F (FG) to play and connected lan3 (hardware switch) to port 3 of the UPC CB router.
Looking at the specs, the FG-40F should easily handle the 1GBit/s download speed. But it seems not to...

 

Any PC (elitePC, zoePC, paviPC) connected to lan3 of FG only gets about 130MBit/s download speed max.
(PC <-- FG/lan3<-FG/wan <-- CB/p3<-CB/wan <-- cnlab speed test server)

 

I do not have any fancy firewall policy enabled.Just plain all/all/all from inside to outside without any UTM features.

 

Why is this so slow and how can I speed it up?

 

I test the download speed with the cnlab speedtest application (https://www.cnlab.ch/speedtest) from different PC's (paviPC, zoePC, elitePC).


To check the port speeds, I did several speed tests with iperf3 using FG as a client, connecting to my 3 test PC's via the LAN port (i.e. diag traffictest run -c 192.168.1.204). On the PC's I downloaded iperf3 and started the server session.

 

Results:

  • elitePC   333 MBit/s     (Lots of retries, I believe the CAT5e cable is bad and I will exchange it soon)
  • zoePC    580 MBit/s     CAT 5e (no retrans errors, but I will replace this cable too)
  • paviPC   736 MBit/s     CAT6

 

To test the WAN port speed, I used  paviPC as an iperf3 client and connected to FG (running the server iperf3 server) via a 1GB switch.

 

Result:

  • paviPC 887 MBit/s     CAT6

 

(same is also possible by using the -R option: diag traffictest run -R -c 192.168.0.50)

 

I conclude from this that the LAN cabling is not optimal, but far beyond just 120 MBit/s.

The Fortigate 40F is apparently stalling the connections, probably is the cause of the slow download.


I tried different settings on the FG to increase throughput

  • checking duplex mismatch issues
  • connection on WAN and lan3 port is 1000full (full-duplex), also tested with setting the interface mode from auto to 1000full
  • connected via dumb switch to fix potential half-full-duplex issues
  • double checked with "dia har dev nic wan" and "dia har dev nic lan3"
  • cpu and memory load in FG is very low when doing speed tests
  • reset FG completely and reconfigured
  • FW version 6.4.8, fully under support with subscriptions, NGFW Mode = Profile-based
  • no logging (same results with logging, though)
  • played around with different MTU settings on wan side
  • applied guaranteed bandwith (adapted https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Issue-with-outbound-upload-traffic-s... for download)

 

Nothing I tried so far was bumping the speed above 130 MBit/s.

 

What else could I try on the FG?

 

Thanks

Dan

 


References:
https://fusecommunity.fortinet.com/blogs/yuri1/2020/10/30/fortigate-built-in-iperf-tool-network-diag...
https://community.fortinet.com/t5/Fortinet-Forum/Slow-Internet/m-p/154183?m=164588
https://community.fortinet.com/t5/Fortinet-Forum/diagnose-traffictest/m-p/152702?m=146386
https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-perform-bandwidth-tests/ta-p/197784...
https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Issue-with-outbound-upload-traffic-s...
https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/fortigate-fortiwifi-40f-series.pdf

 

 

7 REPLIES 7
AlexC-FTNT
Staff
Staff

Hello Dan,

Here are few places/ideas to check:

- policy mode: flow/proxy

- utm enabled or disabled in the policy (set utm disable)

- fragmentation: honor-df flag in settings if unnecessary fragmentation seen

- configuration: remove/unset internal switch

 

Ultimately, consider that the Datasheet values are cummulative, so a 600Mbps Threat protection is likely measured on a multi-thread/multiple ports test, with certain inspection profiles added. Last, but not least, the 40F is a small unit and lacks any dedicated NP processor that may speed up the connection - all traffic is handled by the SoC (CPU).


- Toss a 'Like' to your fixxer, oh Valley of Plenty! and chose the solution, too00oo -
dan
New Contributor III

Thanks Alex, I will try this tonight and give feedback.
So far:
- policy mode is flow
- utm is already disabled


dan
New Contributor III

@AlexC-FTNT , I was not able to improve the speed significantly. 

  • policy mode: flow/proxy
    • Policy mode is flow. 
  • utm enabled or disabled in the policy (set utm disable)
    • No UTM configured and disabled
    • I did not see any increase in speed.
  • fragmentation: honor-df flag in settings if unnecessary fragmentation seen
    • No fragmentation was seen. I anyway tried honot-df flag, but I did not see any improvement in speed.
  • configuration: remove/unset internal switch
    • I indeed had the LAN connect to the default switch of the FG. I moved the LAN connection over to a dedicated interface and tested again.
    • No speed increase, unfortunately.

As this FG is under support, would it make sense to open a support ticket?

Dan

 

AlexC-FTNT

It makes sense to open a ticket for it so we can keep track of these issues, but it is likely that you will receive a similar reply after some troubleshooting data collected.  As I also mentioned above, the speed may be significantly increased (or aproaching datasheet values) by using multiple parallel threads in iperf testing. So this is another test you could run (-P 4 / -P 6...)


- Toss a 'Like' to your fixxer, oh Valley of Plenty! and chose the solution, too00oo -
diditn
New Contributor

Hi dan,

i have the same issue.

did you find a solution please ?

thanks 

dan
New Contributor III

hi @diditn 

in my case it turned out to be a stupid cabling issue. I should have seen that before, but I only catched it when I did the cabling of the whole rack from scratch. 

Dan

 

diditn
New Contributor

thanks dan.

i will check the cables with CAT6 and try again.

thank you very much.