Fortinet's latest ASIC promises 2.5Gbps of SSL inspection at the edge
New entry-level firewalls to follow
Fortinet this week unveiled a custom ASIC it says will power its next-generation of firewalls debuting later this year.
Over the past two decades, Fortinet has staked its reputation on the ability for custom silicon to achieve higher performance in smaller, lower power packages. And the company's new SP5 security processor is no different.
Fortinet boasts the 7nm chip will deliver 17x faster firewall performance at 40Gbps, 32x faster cryptographic functionality, 2.5Gbps of SSL inspection throughput, while consuming 88 percent less power compared to a standard CPU. While these claims may sound impressive, Fortinet is comparing its chip against Intel Atom and Celeron-class parts commonly found in entry-level enterprise firewalls.
What we do know is Fortinet is able to achieve many of those claims using a bunch of application-specific accelerator blocks baked into the chip.
Broadly speaking, Fortinet's ASICs come in three flavors. The first is the Network Processor (NP), which is designed for bandwidth heavy environments, like enterprise, telecom, and hyperscale networks. The second is the Content Processor (CP), which offloads security inspections like intrusion detection and prevention and antivirus. Both of these work in conjunction with x86 processors, which, similar to a switch, are responsible for running things like the control plane and software functionality that isn't hardware accelerated.
- Fortinet's cloud firewall ditches custom ASICs for Amazon's Graviton CPUs
- China-linked Budworm burrows hole in US legislature systems
- Fortinet warns of critical flaw in its security appliance OSes, admin panels
- Fortinet's latest hyperscale kit packs 2.4Tbit/sec of firewall into a 4U chassis
The final category is Fortinet's Security Processing Unit (SPU), which combines accelerators found in Fortinet's NP7 Lite and CP 10 with an Arm CPU. In this regard, the SP5 is more akin to a mobile system-on-chip (SoC), like Apple's A15 or M1. But rather than image signal processors and video encode and decode blocks, SP5's accelerators are designed to speed up things like SSL inspection and encryption.
According to Fortinet CMO John Maddison, the chip is focused on smaller environments like branch offices, industrial sites, and other edge use cases, where performance per watt is valuable.
While Fortinet rarely misses an opportunity to highlight how well its chips perform compared to x86-based firewalls from the likes of Palo Alto Networks and others, fixed function accelerators are just that: fixed.
As with any application-specific accelerator, they're only good at the workload they were designed for. As soon as you throw a workload at it that can't be offloaded to specialized silicon, it's back to brute-forcing the job on the CPU cores.
Fortinet is able to get away with this because they control both the software and hardware stack, allowing for tight vertical integration between the two platforms. However, this also means that if the company wants to add hardware support for a new feature, it may have to re-engineer the chips to support it.
Because of this, the company typically runs new functionality on the CPU to start and if it has broad appeal, then integrates that into its next-gen ASICs, Maddison explained.
While Fortinet has yet to share which products the SP5 will power, we can expect them to address several new and existing use cases including 5G, operational technology and edge compute environments, and your typical branch and campus networks. While Maddison didn't confirm any new hardware, he said the SP5 would be a candidate for the company's 60, 80, and 100-series appliances. ®