Hi Fortinet Community
I need some clarification on Forward Error Correction.
Does FortiGate VMs support Forward Error Correction (FEC)?
As per understanding NP, SOC3 or SOC4 one of the chips should be present in the FortiGate device to enable FEC and FEC can be enabled only on FortiGate physical devices as the mentioned chip will be present in physical devices.
Thanks.
Solved! Go to Solution.
Hello Ajay,
When FEC is enabled, FortiGate needs to generate and process these redundant packets, which requires additional CPU resources. Additionally, the increased number of packets being processed can also impact memory usage.
To mitigate the impact on CPU and memory, you can consider the following options:
Adjust the FEC settings: FortiGate provides various FEC settings that can be adjusted based on your specific requirements. These settings include the amount of redundancy added to the packets and the FEC algorithm used. Experimenting with different settings can help find a balance between data reliability and resource consumption.
Evaluate network conditions: The need for FEC depends on the network conditions and the reliability of your network links. If you have stable and high-quality connections, you might reassess the necessity of enabling FEC. Disabling FEC in scenarios where it's not required can help reduce the resource consumption.
Load balancing: If your FortiGate is utilizing an SD-WAN or load balancing configuration, you can distribute the traffic across multiple WAN links. By doing so, the load caused by FEC can be spread across different interfaces, reducing the strain on a single CPU.
It's important to note that the impact of enabling FEC can vary depending on factors such as network traffic volume, specific FortiGate model, and firmware version. Therefore, it's advisable to consult the Fortinet documentation for guidance specific to your FortiGate appliance and configuration.
regards,
Shilpa C P
As per the below document in order to be able to enable forward error correction, the npu-offload has to be disabled first. Which means you don't need an NP and ideally it should work with VM device. Are you facing any issues?
# config vpn ipsec phase1-interface
edit <name>
set npu-offload disable
end
Hi @srajeswaran
When we enable Forward Error Correction (FEC) in FortiGate, it will utilize lots of CPU as redundant packets gets generated and memory. That why I raised the query.
Hello Ajay,
When FEC is enabled, FortiGate needs to generate and process these redundant packets, which requires additional CPU resources. Additionally, the increased number of packets being processed can also impact memory usage.
To mitigate the impact on CPU and memory, you can consider the following options:
Adjust the FEC settings: FortiGate provides various FEC settings that can be adjusted based on your specific requirements. These settings include the amount of redundancy added to the packets and the FEC algorithm used. Experimenting with different settings can help find a balance between data reliability and resource consumption.
Evaluate network conditions: The need for FEC depends on the network conditions and the reliability of your network links. If you have stable and high-quality connections, you might reassess the necessity of enabling FEC. Disabling FEC in scenarios where it's not required can help reduce the resource consumption.
Load balancing: If your FortiGate is utilizing an SD-WAN or load balancing configuration, you can distribute the traffic across multiple WAN links. By doing so, the load caused by FEC can be spread across different interfaces, reducing the strain on a single CPU.
It's important to note that the impact of enabling FEC can vary depending on factors such as network traffic volume, specific FortiGate model, and firmware version. Therefore, it's advisable to consult the Fortinet documentation for guidance specific to your FortiGate appliance and configuration.
regards,
Shilpa C P
Hi @Shilpa11,
Thanks for your reply. I have understood how to configure the FEX in fortigate but how does FEC work in FortiGate (Workflow)? Is there any document to refer else can you tell it?
Once FEC Enabled in VPN tunnels - All the traffic passing through that tunnel is treated as FEC packets or
When we enable FEC in firewall policy for that particular source and destination only FEC will be applied?
Can you tell me the working flow of a packet with FEC for both VPN and firewall policy?
Hi @srajeswaran,
Thanks for your swift reply. Basically, FortiGate utilize lots of resources of it when FEC or Packet duplication is enabled.
Hi Ajay,
May I know how many tunnels are configured with FEC and what's the traffic rate on these tunnels?
Also it would be a good idea to modify the current values configured under FEC and monitor.
Hi @srajeswaran,
There are totally 4 dial-up VPN tunnels between hub and spoke. Is there any data sheet available to be consider while enabling FEC with information of minimum CPU, RAM ?
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.