I was interested in the performance of my FortiGate firewall when comparing IPv4 and IPv6 traffic. Therefore I built a small lab consisting a FortiWiFi 90D firewall and two Linux clients running Iperf. I tested the network throughput for both Internet Protocols in both directions within three scenarios: 1) both clients plugged into the same “hardware switch” on the FortiGate, 2) different subnets with an “allow any any” policy without any further security profiles, and finally, 3) activating antivirus, application control, IPS, and SSL inspection.
Laboratory
Both clients (notebooks) booted with the live Linux Knoppix in version 7.6.1. The FortiWiFi 90D ran at software version v.5.2.5, build701. The security policies for tests 2 and 3 looked like that:
I started Iperf on one of the notebooks in server mode (with either IPv4 or IPv6),
iperf -s iperf -s -V
and ran the other notebook as the client: (Yes, I really used the 2001:db8::/32 for testing purposes this time.)
iperf -c 192.168.47.11 -r iperf -c 2001:db8:47:0:221:70ff:fee9:bb47 -V -r
A complete run of Iperf is listed in the following:
knoppix@Microknoppix:~$ iperf -c 2001:db8:47:0:221:70ff:fee9:bb47 -V -r ------------------------------------------------------------ Server listening on TCP port 5001 TCP window size: 85.3 KByte (default) ------------------------------------------------------------ ------------------------------------------------------------ Client connecting to 2001:db8:47:0:221:70ff:fee9:bb47, TCP port 5001 TCP window size: 43.8 KByte (default) ------------------------------------------------------------ [ 5] local 2001:db8:48:0:16fe:b5ff:feb2:3fe8 port 51318 connected with 2001:db8:47:0:221:70ff:fee9:bb47 port 5001 [ ID] Interval Transfer Bandwidth [ 5] 0.0-10.0 sec 184 MBytes 154 Mbits/sec [ 4] local 2001:db8:48:0:16fe:b5ff:feb2:3fe8 port 5001 connected with 2001:db8:47:0:221:70ff:fee9:bb47 port 41070 [ 4] 0.0-10.2 sec 53.1 MBytes 43.6 Mbits/sec
Here is a screenshot of the FortiGate Traffic Forward log that shows some IPv4 and IPv6 runs:
Results
These are the results:
- When plugged into the same hardware switch on the FortiGate unit (no routing, only layer 2), the speed for both protocols was almost the same and very good (around 930 MBit/s).
- When routed through the FortiGate, IPv4 had almost the same speed while IPv6 dramatically dropped its rate to about 150-180 MBit/s (yellow and green bars).
- With activated antivirus scanning, etc., the Rx path was at about 40 MBit/s which is perfect due to the official data sheets that list 41 Mbit/s for mixed IPS throughput. However, the Tx path was the same for IPv6 with only about 150 MBit/s.
Conclusion
Of course, these results are only true for this single FWF-90D firewall. It only has an NP4-lite processor which is not capable of IPv6. Bigger firewalls with the newer NP6 claim that they have the same speed for IPv4 as for IPv6. Hopefully they will. The measured IPv6 throughput with this firewall is obviously not that good!
Raw Values
| IPv4 Tx/Rx [MBit/s] | IPv6 Tx/Rx [MBit/s] |
|
|---|---|---|
| Same Hardware Switch | 943/936 | 929/924 |
| Routing Without Security Profiles | 937/936 | 156/182 |
| Policy With Security Profiles | 929/43 | 154/44 |