Business & Technology

Exec Q&A: John Maddison On the New FortiSP5 ASIC

By Fortinet | February 28, 2023

As more people become connected and go off and on the network, we’ve also seen the security infrastructure spread to allow this connectivity. Now we’re seeing firewalls everywhere in factories, in campus environments, and even in the home. Those that operate distributor firewalls are always hardware-based and have particular performance characteristics. For those deploying thousands of them, you will need them to meet specific price performance criteria.

Building on over 20 years of ASIC investment at Fortinet, we’ve addressed this need by building and increasing the performance of our own System-on-a-Chip (SoC). With the latest breakthrough in application-specific design through FortiSP5, we’ve dramatically reduced power consumption and delivered huge secure computing power across distributed network edges. In this executive Q&A, John Maddison, EVP of Products and CMO at Fortinet, provides context to Fortinet’s latest security processing unit (SPU) FortiSP5, and how it delivers unparalleled levels of performance for customers.

What is the difference between a System-on-a-Chip and an ASIC?

John: They're both the same, but a way to think about this is viewing them in a normal compute environment. In our larger firewalls, we still use CPUs from the big manufacturers out there, but we take specific functions like networking or firewalling and put that into an application-specific integrated circuit. That network processor offloads the CPU from a lot of the networking tasks. Additionally, you have content processors, which, like a GPU, offload a lot of tasks you would normally do in the CPU. 

Now applying this same concept to a SoC, a SoC needs to be in a small package, instead of having some CPUs, and network processors, and content processors, we put it all into a single chip. This single chip comes equipped with CPUs, network, and content processing, so you get the very small form factor that hits certain price points but is also very powerful to run a lot of applications. For context, in a Fortinet device using a SoC, all these pieces are built onto a single slab of silicon rather than in separate pieces.

How does FortiSP5 compare to an equivalent CPU?

John: We’re comparing entry-level CPUs that fall into the same price points and cost as FortiSP5. The big difference between FortiSP5 and an equivalent entry-level CPU is that CPUs still must do all the security, networking, and content processing. However, when these CPUs start running very hot and inefficient over a longer period of time, this will also decrease the lifetime of the appliance. When testing against equivalent CPUs, we’ve found FortiSP5 to have about 88% less power consumption, and that helps lower costs and energy requirements.

When testing against equivalent CPUs, we’ve found FortiSP5 to have about an 88% less power consumption, and that helps lower costs and energy requirements.

What Fortinet product ranges do you anticipate FortiSP5 going into?

John: Mostly our entry-level FortiGate Next-Generation Firewalls, but because of the increased performance, we might even put this in our mid-range products. What we're finding is that obviously the software has a big part to play in that, and the FortiOS operating system provides the applications that run on the chip. 

From a customer standpoint, we are seeing a lot of customers starting to converge on networking and security. They're starting to take what used to be separate little appliances and consolidate them into one. We've got some customers now rolling out our entry-level appliance, which are equipped with firewalling, SD-WAN, a Wi-Fi controller for SD-Branch, an Ethernet controller, and 4G to provide zero-trust functionality. The days of a firewall just doing simple firewalling are long gone in our minds. These days, firewalls are a platform to provide a lot of functionality to the customer.

The days of a firewall just doing simple firewalling are long gone in our minds. These days, firewalls are a platform to provide a lot of functionality to the customer.

With firewalls providing more functionality, what about handling encryption?

John: There's a lot of encryption needed for things like SSL inspection and IPsec. Even if you're just connecting into a SASE cloud, for example, you still need encryption and encryption just crushes CPU performance. We've seen entry-level devices with CPUs lose 90% of their throughput when you switch on SSL inspection.

Given encryption is a foundational component that is used for a lot of different things, this really ties back and highlights the significant impact FortiSP5’s 88% reduced power consumption can have to improve performance across SSL deep inspection, hardware-accelerated encryption, next-gen firewalls, and more.

Another area that I believe people are not aware of is that denial of service attacks [DDoS] happen all the time against data centers, clouds, and even small office and factory environments. While Fortinet has integrated DDoS protection, most CPUs would again get crushed if they got attacked that way.

How is DDoS protection being integrated?

John: Integration is volume-based. There are two types of DDoS protection. One that is application specific and the second being volume. Now, if the DDoS attack is bigger than the bandwidth, then there's nothing you can do. You have to rely on your service provider. But a lot of those attacks occur very rapidly and are made with very fast SYN packets, for example, so it is difficult to keep up.

CPUs are not good at the packets per second, that's how fast you can accelerate the content, and that's put in there to protect against that. At Fortinet, we've built networking capability right into the SoC, that gives us DDoS protection against those volumetric attacks.

How is Fortinet’s built-in DDoS protection any different from what CDN providers are able to filter out?

John: In the case of protecting more devices and branch offices, you usually don’t have CDNs that way. You have CDNs protecting applications. But even having said that, our larger systems and data centers are used at the edge because they have that ability to protect. Even if you think you've got a CDN protecting you, it can still get through.

Now, CDNs are not usually deployed the other way, or the other direction towards the devices. So if someone's attacking, let's say an office or a branch, you don't usually have CDNs in there. That's usually there just an ISP connection that's going in.

In regard to competitive positioning, how would you react to others that bypass the hardware engineering work and optimize existing CPUs for networking processing to come in at a lower price point?

John: I view it as two real main markets. You've got data center and cloud, which is more a combination of maybe generic CPU, and at Fortinet we do virtual machines and cloud-native. Drawn out you've got the data center, which is north-south, still, very appliance focused. East-west is more micro-segmentation and agent-based. And around this whole mass of the edge, is the area of focus to service through low-end CPUs.

When you get a DPU from one person, the CPU from another, the network card from another, that's expensive, even in an entry-level device. There's no one who will get close to our price and performance on our FortiSP5, or if they are, they're losing money.

What Fortinet is doing is similar to what Apple is doing, but more focused on a B2B kind of security application. Previously, Apple was outsourcing all their CPUs for a long time, and recently they built the M1. Now they've got the M2, and you can see the performance increase. They're now in control and have ownership, having integrated both the software and the hardware.

Continuing to Accelerate the Convergence of Networking and Security Functions

Fortinet is the only cybersecurity vendor leveraging purpose-built ASICs to deliver huge secure computing power across distributed network edges. The latest release of FortiSP5 further allows Fortinet to help organizations accelerate their edge network and security functions at a price/performance point no one in the industry can match.


Learn more about Fortinet’s custom ASIC technology.