do I have a lot of IP4 Policies and UTM stuff going on.

 

what exactly?

IMHO ( probably can't be done now ), you should really benchmark these b4 they are in production and carrying traffic

iperf3/D-ITG for example  and a simple traffic flow  in/out out/in with and without a utmprofile. Than you have a baseline on the raw thruput.

next, place two FGT back-2-back and set a simple IPSEC-tunnel, again iperf3/D-ITG for  packet generation and gather a benchmark with and|or withut utm profiles

just my 2cts

FWIW we have FGT900D running over 2-3gbps during the day, no UTMprofiles enabled, no ipsec/sslvpn. We are using 10GIGE interfaces only. It's a powerful box for sure.

Ken

By the way, 900D seems to have two NP6s for encryption/decryption acceleration just like our 1500Ds. That means other firewall features wouldn't affect much to vpn throughput as long as they're handed off to an NP6. Although I don't think it's the main factor for your situation right now because the number is way lower than any performance issues (I believe in significant packet loss somewhere), I want to point out that which port you use for in and out along the path encrypted/decrypted packets go through actually affect to the vpn performance especially under multi-vdom environment. We had to change our design to use only one NP6 (out of two) not to cause any handoff between NP6_0 to/from NP6_1 involving the CPU for the same packet.

Check the documentation below for the 900D section and review your design if it's optimum.

http://docs.fortinet.com/...re-acceleration-54.pdf

When you do speedtest, pay attention to how the test packets get to/come out of the test server. We had some customers who got AT&T ASE circuits at their location and coming into our network before getting out to the internet (we are a part of their internet circuit although AT&T provides the "last mile") and had been having the speed issue for one direction. Those commonly ended up AT&T equipment having duplex mismatch at the last hop.

If you don't mind, please post the outcome of FTNT investigation. We in the past went through L1->L2->L3 escalations that took several months and found no problem on both sides of FGs.

To late to benchmark.

I do have a question about how the UTM performance levels are calculated.

The 900D has 32 1-GB Ports and 2 10-GB Ports and because we purchased the 900D to do internal segmentation to limit PCI-DSS scope.

 As I read the Fortigate 900D data sheet I see that the Firewall is rated at 52GBps but the IPS is 4.2 GBps, NGFW 4 GBps and Threat Protection is at 3 GBps so what does that mean?

Looking at the IP4 Policies and sorting them by sequence I show 454 different IP4 Policies sequences. I know that's a lot of policies.

So some policies have IPS, NGFW, etc applied others don't does it matter how many of the policies have UTM features enabled or do these ratings mean that if a policy has a UTM applied is that the total throughput for a UTM period.

If I have NGFW applied to all 454 sequences would the total throughput across all be 4GBps total or 8.8 Mbps per Policy sequence 

As I read the Fortigate 900D data sheet I see that the Firewall is rated at 52GBps but the IPS is 4.2 GBps, NGFW 4 GBps and Threat Protection is at 3 GBps so what does that mean?

Using industry  benchmark and packets sizes 64-1500 you have 52gig if you ran it as a pure FW &  with no UTM. As soon as you run any of the other features,   you thru-put will drop to the level listed.

If I have NGFW applied to all 454 sequences would the total throughput across all be 4GBps total or 8.8 Mbps per Policy sequence

Not following your logic , but the thru-put is not per fw-policy  or IP, but by that the total thruput if NGFW  features are used and max at 4Gbps

BTW FTNT over rate the products at best real-world value imho.I would look for a 3rd party benchmark  report like those from  NSSlanbs or so if you want real-life numbers.

Or

You have to put together you own demo. I would not take the word of the FTNTsalesTeam without  validation. Review and Validation is what you need ;)

And finally  454 fwpolicy is nothing, I'm currently login to a FGT-FW  now &  that has  12359k policies

Ken

Thanks Ken,

You managed to answer my badly formatted questions.

and hearing that my policy count didn't cause your hair light on fire was reassuring.

I'll post an update after Fortigate support is done having me send test results

-Steve

Are you checking hardware stats to make sure all NPU/CPU/ASIC etc are fine? I had a case where a Gate was nuking itself because the two heavily used ports were on the same CPU and it was causing issues.

Please do keep us updated on this though. Would like to see the cause of your issue.