FortiGate IPv4 vs. IPv6 Performance Speedtests

I was interested in the performance of my FortiGate firewall when comparing IPv4 and IPv6 traffic. Therefore I built a small lab consisting a FortiWiFi 90D firewall and two Linux clients running iperf. I tested the network throughput for both Internet Protocols in both directions within three scenarios: 1) both clients plugged into the same “hardware switch” on the FortiGate, 2) different subnets with an “allow any any” policy without any further security profiles, and finally, 3) activating antivirus, application control, IPS, and SSL inspection.

Note that this post is one of many related to IPv6. Click here for a structured list.

Laboratory

Both clients (notebooks) booted with the live Linux Knoppix in version 7.6.1. The FortiWiFi 90D ran at software version v.5.2.5, build701. The security policies for tests 2 and 3 looked like that:

I started iperf on one of the notebooks in server mode (with either IPv4 or IPv6),

and ran the other notebook as the client: (Yes, I really used the 2001:db8::/32 for testing purposes this time.)

A complete run of iperf is listed in the following:

Here is a screenshot of the FortiGate Traffic Forward log that shows some IPv4 and IPv6 runs:

FortiGate IPv4-vs-IPv6 03 Forward Traffic Log

Results

These are the results:

  1. When plugged into the same hardware switch on the FortiGate unit (no routing, only layer 2), the speed for both protocols was almost the same and very good (around 930 MBit/s).
  2. When routed through the FortiGate, IPv4 had almost the same speed while IPv6 dramatically dropped its rate to about 150-180 MBit/s (yellow and green bars).
  3. With activated antivirus scanning, etc., the Rx path was at about 40 MBit/s which is perfect due to the official data sheets that list 41 Mbit/s for mixed IPS throughput. However, the Tx path was the same for IPv6 with only about 150 MBit/s.

Conclusion

Of course, these results are only true for this single FWF-90D firewall. It only has an NP4-lite processor which is not capable of IPv6. Bigger firewalls with the newer NP6 claim that they have the same speed for IPv4 as for IPv6. Hopefully they will. The measured IPv6 throughput with this firewall is obviously not that good!

Raw Values

IPv4
Tx/Rx
[MBit/s]
IPv6
Tx/Rx
[MBit/s]
Same Hardware Switch943/936929/924
Routing Without Security Profiles937/936156/182
Policy With Security Profiles929/43154/44

Featured image “Baureihe 403 ICE3” by Lars Steffens is licensed under CC BY-SA 2.0.

One thought on “FortiGate IPv4 vs. IPv6 Performance Speedtests

Leave a Reply

Your email address will not be published. Required fields are marked *