FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ppatel
Staff
Staff

Description


This article describes how to use diag traffictest command for following purposes:

 

- Loopback test.

- TCP/UDP traffic test.


External resources
Publicly available iPerf/iPerf3 Servers- https://iPerf.fr/iPerf-servers.php
Iperf binaries and executables - https://iPerf.fr/iPerf-download.php

Solution


The FortiGate firewall has a built-in iPerf3 client and a limited embedded iPerf3 server.

1) Perform loopback test between two different FortiGate ports:

 

A loopback test is a simple method to determine whether communication of circuits is functioning at a basic interface level.

It is used to determine whether transmitted signals returns to the sender.

 

It can also be used between two ports that are in two different VDOMs and verify the connectivity at hardware level.

 

# diag traffictest server-intf port2        <----- Define FortiGate interface.
# diag traffictest client-intf port1        <----- Define FortiGate interface.
# diag traffictest run                      <----- Run iPerf3.

 

The output should be similar to:

 

FGT # diag traffictest run
Connecting to host 10.109.19.237, port 162
[ 14] local 10.139.3.237 port 13398 connected to 10.109.19.237 port 162
[ ID] Interval           Transfer     Bandwidth       Retr  Cwnd
[ 14]   0.00-1.00   sec   648 MBytes  5.43 Gbits/sec    0    576 KBytes
[ 14]   1.00-2.00   sec   659 MBytes  5.53 Gbits/sec    0    576 KBytes
[ 14]   2.00-3.00   sec   660 MBytes  5.54 Gbits/sec    0    576 KBytes
[ 14]   3.00-4.00   sec   664 MBytes  5.58 Gbits/sec    0    576 KBytes
[ 14]   4.00-5.00   sec   662 MBytes  5.56 Gbits/sec    0    576 KBytes
[ 14]   5.00-6.00   sec   655 MBytes  5.49 Gbits/sec    0    576 KBytes
[ 14]   6.00-7.00   sec  1.11 GBytes  9.53 Gbits/sec    0    576 KBytes
[ 14]   7.00-8.00   sec  1.24 GBytes  10.7 Gbits/sec    0    576 KBytes
[ 14]   8.00-9.00   sec  1.23 GBytes  10.5 Gbits/sec    0    576 KBytes
[ 14]   9.00-10.00  sec  1.21 GBytes  10.4 Gbits/sec    0    576 KBytes
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bandwidth       Retr
[ 14]   0.00-10.00  sec  8.64 GBytes  7.42 Gbits/sec    0             sender
[ 14]   0.00-10.00  sec  8.64 GBytes  7.42 Gbits/sec                  receiver

iperf Done.
iperf3: interrupt - the server has terminated

 

Note:

The iPerf3 server on the FortiGate cannot be used as a full-featured iPerf3 server.

It can be used only for the interface tests between FortiGate ports or as client towards a server.

 

The test between ports, as shown above, will test only the basic function of interface and it does not send any actual traffic/data between them.

Thus, it will not provide the actual bandwidth metrics.

In multi VDOM environment, run the test at the global level.

2) TCP/UDP traffic test against an iPerf server.

 

Iperf server can be public or setup a private one. FortiGate is acting as iPerf3 client in this scenario.


Assuming port1 is our wan interface:

To test bandwidth between FortiGate's port1 and iPerf3 server (the main IPerf3 server resolves to 45.154.168.155 and listens on port 5200-5209), follow these

 

Steps:

To use FortiGate to send to another iPerf3 server, user need to set the traffictest client and server to use the same port.

 

# diag traffictest client-intf port1        <----- Define FortiGate interface.
# diag traffictest server-intf port1        <----- Define FortiGate interface.
# diag traffictest port 5209                <----- Define iPerf3 port running on the iPerf3 server.
# diag traffictest run -c 45.154.168.155    <----- Run iPerf3 against the public 45.154.168.155 iPerf3 server.

 

The output should be similar to:

 

FGT # diag traffictest client-intf port1
client-intf:    port1
FGT # diag traffictest server-intf port1
server-intf:    port1
FGT # diag traffictest port 5209
port:   5209


FGT # diag traffictest run -c 45.154.168.155

 

[ 14] local 10.109.19.237 port 5201 connected to 45.154.168.155 port 5209
[ ID] Interval           Transfer     Bandwidth       Retr  Cwnd
[ 14]   0.00-1.01   sec  1.78 MBytes  14.8 Mbits/sec    2    198 KBytes
[ 14]   1.01-2.01   sec  3.56 MBytes  29.9 Mbits/sec   37    256 KBytes
[ 14]   2.01-3.01   sec  6.01 MBytes  50.4 Mbits/sec    0    304 KBytes
[ 14]   3.01-4.01   sec  6.73 MBytes  56.6 Mbits/sec    0    335 KBytes
[ 14]   4.01-5.01   sec  6.73 MBytes  56.4 Mbits/sec    0    354 KBytes
[ 14]   5.01-6.01   sec  6.78 MBytes  56.9 Mbits/sec    0    354 KBytes
[ 14]   6.01-7.01   sec  6.65 MBytes  55.8 Mbits/sec    0    363 KBytes
[ 14]   7.01-8.01   sec  6.77 MBytes  56.8 Mbits/sec    0    363 KBytes
[ 14]   8.01-9.01   sec  4.58 MBytes  38.4 Mbits/sec    5    187 KBytes
[ 14]   9.01-10.00  sec  6.07 MBytes  51.1 Mbits/sec    0    301 KBytes
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bandwidth       Retr
[ 14]   0.00-10.00  sec  55.7 MBytes  46.7 Mbits/sec   44             sender
[ 14]   0.00-10.00  sec  55.5 MBytes  46.6 Mbits/sec                  receiver

iperf Done.
iperf3: interrupt - the server has terminated

 

UDP test:

 

By default, FortiGate will test TCP, it is possible to run UDP with -u.

 

FGT # diagnose traffictest run -c 45.154.168.155 -u


Connecting to host 45.154.168.155, port 5209
[  9] local 178.17.233.36 port 11998 connected to 62.210.18.40 port 5209
[ ID] Interval           Transfer     Bandwidth       Total Datagrams
[  9]   0.00-1.01   sec   120 KBytes   976 Kbits/sec  15
[  9]   1.01-2.01   sec   128 KBytes  1.05 Mbits/sec  16
[  9]   2.01-3.01   sec   128 KBytes  1.05 Mbits/sec  16
[  9]   3.01-4.01   sec   128 KBytes  1.05 Mbits/sec  16
[  9]   4.01-5.01   sec   128 KBytes  1.05 Mbits/sec  16
[  9]   5.01-6.01   sec   128 KBytes  1.05 Mbits/sec  16
[  9]   6.01-7.01   sec   128 KBytes  1.05 Mbits/sec  16
[  9]   7.01-8.01   sec   128 KBytes  1.05 Mbits/sec  16
[  9]   8.01-9.01   sec   128 KBytes  1.05 Mbits/sec  16
[  9]   9.01-10.01  sec   128 KBytes  1.05 Mbits/sec  16
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bandwidth       Jitter    Lost/Total Datagrams
[  9]   0.00-10.01  sec  1.24 MBytes  1.04 Mbits/sec  0.074 ms  0/159 (0%)
[  9] Sent 159 datagrams

iperf Done.
iperf3: interrupt - the server has terminated.

 

By default, iperf SENDS the data to the remote host, that is, in this case it was tested (UPLOAD) for the FortiGate, To generate traffic in the opposite direction, use -R option

 

FGT # diag traffictest run -R -c 45.154.168.155

 

When FortiGate is acting as IPerf client, as shown above, and connecting to actual Iperf server, it would send the packets to gather the upload and download speed.

However, this test would not be the full-fledged test as per the design and will not show actual throughput result.

Iperf functionality is limited on the FortiGate.

 

In order to test the actual throughput and setup the upload and download speed baseline, an external server and client is required to test the throughput with FortiGate in between.

Moreover, in a dual wan scenario, FortiGate always sends the traffic via best route and its outgoing interface in routing table.

 

Possible options of the iPerf3 client supported on the FortiGate can be observed via this command:

 

# diag traffictest run -h

 

Note that the iPerf/iPerf3 servers are external services and not operated or endorsed Fortinet.