My download speed is 1GBit/s from the provider UPC here in Switzerland.

A PC (paviPC) attached to the providers connect box (CB, a DOCSIS router) gets about 900MBit/s.

This is what I am looking for.

(paviPC <-- CB/p4-CB/cable <-- cnlab speed test server)

I got a Fortigate 40F (FG) to play and connected lan3 (hardware switch) to port 3 of the UPC CB router.
Looking at the specs, the FG-40F should easily handle the 1GBit/s download speed. But it seems not to...

Any PC (elitePC, zoePC, paviPC) connected to lan3 of FG only gets about 130MBit/s download speed max.
(PC <-- FG/lan3<-FG/wan <-- CB/p3<-CB/wan <-- cnlab speed test server)

I do not have any fancy firewall policy enabled.Just plain all/all/all from inside to outside without any UTM features.

Why is this so slow and how can I speed it up?

I test the download speed with the cnlab speedtest application (https://www.cnlab.ch/speedtest) from different PC's (paviPC, zoePC, elitePC).

To check the port speeds, I did several speed tests with iperf3 using FG as a client, connecting to my 3 test PC's via the LAN port (i.e. diag traffictest run -c 192.168.1.204). On the PC's I downloaded iperf3 and started the server session.

Results:

• elitePC   333 MBit/s     (Lots of retries, I believe the CAT5e cable is bad and I will exchange it soon)
• zoePC    580 MBit/s     CAT 5e (no retrans errors, but I will replace this cable too)
• paviPC   736 MBit/s     CAT6

To test the WAN port speed, I used  paviPC as an iperf3 client and connected to FG (running the server iperf3 server) via a 1GB switch.

Result:

• paviPC 887 MBit/s     CAT6

(same is also possible by using the -R option: diag traffictest run -R -c 192.168.0.50)

I conclude from this that the LAN cabling is not optimal, but far beyond just 120 MBit/s.

The Fortigate 40F is apparently stalling the connections, probably is the cause of the slow download.

I tried different settings on the FG to increase throughput

• checking duplex mismatch issues
• connection on WAN and lan3 port is 1000full (full-duplex), also tested with setting the interface mode from auto to 1000full
• connected via dumb switch to fix potential half-full-duplex issues
• double checked with "dia har dev nic wan" and "dia har dev nic lan3"
• cpu and memory load in FG is very low when doing speed tests
• reset FG completely and reconfigured
• FW version 6.4.8, fully under support with subscriptions, NGFW Mode = Profile-based
• no logging (same results with logging, though)
• played around with different MTU settings on wan side
• applied guaranteed bandwith (adapted https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Issue-with-outbound-upload-traffic-s... for download)

Nothing I tried so far was bumping the speed above 130 MBit/s.

What else could I try on the FG?

Thanks

Dan

References:
https://fusecommunity.fortinet.com/blogs/yuri1/2020/10/30/fortigate-built-in-iperf-tool-network-diag...
https://community.fortinet.com/t5/Fortinet-Forum/Slow-Internet/m-p/154183?m=164588
https://community.fortinet.com/t5/Fortinet-Forum/diagnose-traffictest/m-p/152702?m=146386
https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-perform-bandwidth-tests/ta-p/197784...
https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Issue-with-outbound-upload-traffic-s...
https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/fortigate-fortiwifi-40f-series.pdf