Hey All,
Just got a 60f and putting it through the paces. I am noticing high mem around 60% and if np does anything basically goes to conserve mode and need to reboot. Scoured cookbook and other googles and cant seem to find a good NPU best practice.
Wondering if anyone else has played with this at all. Using at home, about 10 policies, 2 of which do actual filtering.
Just wondering thoughts.
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
For FOS v6.4, just request IPS package v6.0.30 or later from TAC.
This is a new feature tracked by mantis 0613814: Reduce IPS memory consumption.
It is still being backported to FOS v6.2/6.0 later on as one of major features (not available yet currently, more testing likely pending).
Hopefully it would make it to the next IPS official public release for FOS v6.2/v6.0 (can't ascertain this).
James_G wrote:
I think you are spot on, f series were released with 6.2 and had 6.0 back ported, it's not perfect and some of the hardware acceleration does not work on 6.0. The throughput values in the spec are for 6.2 and higher.
This is an interesting notion given the 60Fs are shipping from the factory with v6.0.6 loaded. One would expect FNT to put the device's 'native' FortiOS the device was engineered around.
Their ISP pipe is around 240-260Mbps. I was able to hit 250Mbps with a 200D (as a temporary test, proxy-mode enabled). I imagine I should get at least another 100Mbps in flow mode vs. proxy but did not want to take that hit, UTM functionality wise. Definitely will try 6.2.x afterwards to see how much faster 6.2.x on the SoC4 chipset.
I feel I now remember a post earlier in the year in which someone from FNT (and I think the comment was later deleted) advised to not purchase the 40/60F as they are running the exact same CPU/NP chipset but with significantly lower available memory, essentially crippling throughput...but then are still able use the same numbers on the datasheets due to the capabilities of SoC4? Does this ring a bell for anyone?
I think 6.2.3 will get you the performance you are looking for. 6.2.4 is too buggy IMO.
I did not see that post, but while they are very close in spec they are not the exact same. I guess the biggest difference is 8 CPU vs 4 CPU, the RAM is pretty negligible. I have access to both models:
40F: Model name: FortiGate-40F ASIC version: SOC4 CPU: ARMv8 Number of CPUs: 4 RAM: 1820 MB EMMC: 3662 MB(MLC) /dev/mmcblk0 Hard disk: not available USB Flash: not available Network Card chipset: FortiASIC NP6XLITE Adapter (rev.) 60F: Model name: FortiGate-60F ASIC version: SOC4 CPU: ARMv8 Number of CPUs: 8 RAM: 1919 MB EMMC: 3662 MB(MLC) /dev/mmcblk0 Hard disk: not available USB Flash: not available Network Card chipset: FortiASIC NP6XLITE Adapter (rev.)
And the 100F:
Model name: FortiGate-100F ASIC version: SOC4 CPU: ARMv8 Number of CPUs: 8 RAM: 3616 MB EMMC: 3662 MB(MLC) /dev/mmcblk0 Hard disk: not available USB Flash: not available Network Card chipset: FortiASIC NP6XLITE Adapter (rev.)
IMO, the 60F is in a bit of an odd position in the lineup when the 80F comes out. 80F will have dual PSU, SFP support, and more RAM
brycemd wrote:I think 6.2.3 will get you the performance you are looking for. 6.2.4 is too buggy IMO.
I did not see that post, but while they are very close in spec they are not the exact same. I guess the biggest difference is 8 CPU vs 4 CPU, the RAM is pretty negligible. I have access to both models:
40F: Model name: FortiGate-40F ASIC version: SOC4 CPU: ARMv8 Number of CPUs: 4 RAM: 1820 MB EMMC: 3662 MB(MLC) /dev/mmcblk0 Hard disk: not available USB Flash: not available Network Card chipset: FortiASIC NP6XLITE Adapter (rev.) 60F: Model name: FortiGate-60F ASIC version: SOC4 CPU: ARMv8 Number of CPUs: 8 RAM: 1919 MB EMMC: 3662 MB(MLC) /dev/mmcblk0 Hard disk: not available USB Flash: not available Network Card chipset: FortiASIC NP6XLITE Adapter (rev.)
And the 100F:
Model name: FortiGate-100F ASIC version: SOC4 CPU: ARMv8 Number of CPUs: 8 RAM: 3616 MB EMMC: 3662 MB(MLC) /dev/mmcblk0 Hard disk: not available USB Flash: not available Network Card chipset: FortiASIC NP6XLITE Adapter (rev.)
IMO, the 60F is in a bit of an odd position in the lineup when the 80F comes out. 80F will have dual PSU, SFP support, and more RAM
Thanks for this info - very interesting. The CPUs are running like a charm, rarely spiking to 20-30% if that. The problem is the memory is at a constant 58-65%. IMO the 60F should have the same number of CPUs as the 40F but with double or at least 1G more memory as the CPUs can clearly handle traffic given the offloading assistance they receive from the SoC4.
Did you apply 6.2.3, did it help
Also have you tried the config setting for IPS engine setting to basic?
Could be due to more cpus available in 60F, thus more ipsengine daemons per cpu are running. As far as I know, a feature is being merged recently to reduce IPS engine memory usage by approximately ~50% (with same configuration). Also in 'config ips global --> engine-count' can be set. This would limit the max number of running IPS daemons and saved memory. Ideally, running as much IPS daemons as cpus could help in parallel processing of all incoming network traffic. Can tune this to balance memory and cpu usage/performance based on preference.
darwin wrote:Could be due to more cpus available in 60F, thus more ipsengine daemons per cpu are running. As far as I know, a feature is being merged recently to reduce IPS engine memory usage by approximately ~50% (with same configuration). Also in 'config ips global --> engine-count' can be set. This would limit the max number of running IPS daemons and saved memory. Ideally, running as much IPS daemons as cpus could help in parallel processing of all incoming network traffic. Can tune this to balance memory and cpu usage/performance based on preference.
Hi darwin, would love to know what release we might expect to see the new IPS code. I've just pushed the order button on some 100f units that mainly just do IPS. Ta :)
For FOS v6.4, just request IPS package v6.0.30 or later from TAC.
This is a new feature tracked by mantis 0613814: Reduce IPS memory consumption.
It is still being backported to FOS v6.2/6.0 later on as one of major features (not available yet currently, more testing likely pending).
Hopefully it would make it to the next IPS official public release for FOS v6.2/v6.0 (can't ascertain this).
Thanks - super helpful
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.