Diag Traffictest

raphaejaoliveira · ‎12-07-2020

Hi.

I am need test the MPLS bandwidth. For this I am use diagnose traffic test, in fortigate 100E and 200e the test was wll, but when a tried from fortigate 60E or 40F the test fail.

When a execute "diag traffic -c x.x.x.x

[image][/image]

How can I use traffictest when the interface name is "internalX" and not "portX"??

Toshi_Esumi · ‎12-07-2020

My understanding based on this KB is "diag traffictest" runs iperf test between an ingress port to an egress port, inside of the FGT. It doesn't test against a circuit.

https://kb.fortinet.com/kb/documentLink.do?externalID=FD45599

What you need to have to test a circuit terminated at a FGT is a pair of iperf servers, one located on the other end of the circuit and one behind the FGT, then test performance anything in-between, which is difficult to do if you can't place anything inside of MPLS provider's network behind the PE.

By the way, I don't see the "-c" option under diag traffictest. Maybe you're talking about a different command?

xxx-fg1(6.2.6) # diag traffictest ? show Traffic settings show run Start traffic. server-intf Server interface. client-intf Client interface. port TCP or UDP port number (0 - 65535). proto 0 for TCP or 1 for UDP (default = 0).

raphaejaoliveira · ‎12-15-2020

Hi Toshi.

Is possible you use Diag Traffictest between fortigate and a remote desk top with Iperf how server.

I used he and I have success.

Toshi_Esumi · ‎12-15-2020

I tested with the way Ken suggested, and with iper3 server-side (means not-client-side) running on a Fedora machine. I was remotely operating it but the remote access didn't use the test path (out of band).

Still that path, just a cable, showed only a half of the interface speed, while the sever to another server showed close to full speed.

If you set up the environment carefully, you should be able to do the same to see what kind of number you can get.

Yurisk · ‎12-15-2020

Just for the reference and for anyone who happens to be banned by Google :) :

https://kb.fortinet.com/kb/documentLink.do?externalID=FD45599

https://yurisk.info/2020/01/24/fortigate-iperf-traffic-test-built-in-client-cli/

https://weberblog.net/iperf3-on-a-fortigate/

https://www.infosecmonkey.com/2020/05/14/built-in-iperf-on-the-fortigate-firewall/

Yuri https://yurisk.info/ blog: All things Fortinet, no ads.

Toshi_Esumi · ‎12-15-2020

Thanks Yuri for sharing. I didn't pay attention to CPU usage.

Toshi_Esumi · ‎12-07-2020

I didn't read the KB entirely.

#diag traffictest run -c 89.84.1.222 was described. So you're saying changing client-interface name doesn't work?

[size="2"]#diag traffictest client-intf interface_name [/size]

Toshi_Esumi · ‎12-07-2020

I see what you're seeing. When I tried it on a 60E, it says:

Can not find interface:port1

I need to wait what others have to say about it too. Or need to open a ticket with TAC.

brycemd · ‎12-07-2020

You have to set both a server and client interface or else it defaults to port1

Toshi_Esumi · ‎12-07-2020

So you're saying to test with an external iperf server, the FGT model needs to have "port1" like upper models (3 digit models or higher)?