Industry Trends
Today’s Security Requires Specialized Processors
Many are familiar with central processing units (CPUs), graphical processing units (GPUs), and maybe even data processing units (DPUs). But what is a security processing unit (SPU)? As the name suggests, it's a specially designed processor focused on making security tasks run faster and more efficiently than relying only on a CPU alone. An SPU can act as a self-contained system to better meet the requirements of smaller environments such as a branch office.
The main advantages of security systems designed with SPUs versus CPUs are:
- Superior price-performance
- Ability to run applications simultaneously
- Increased power-efficiency
- Smaller footprint
- Built-in security
Let’s look at some of the processors we already rely on so our devices can keep up with the escalating demands of today’s applications and services.
General Purpose Computing
The overall design of generalized computers has not really changed for a few decades. CPUs, memory, buses, and peripheral cards usually perform specific functions, such as supporting network interfaces or providing graphical processing.
Central Processing Units
A CPU is the primary component that performs most of the processing inside a computer. It carries out computer program instructions by performing basic arithmetic, logic, control, and input/output operations specified by the instructions. The CPU is often referred to as the “brain” of the computer. But while it is very good at generalized tasks, it cannot match the performance and efficiency of application-specific integrated circuits (ASICs) for specialized tasks.
Graphical Processing Unit
A GPU is a specialized electronic circuit designed to rapidly manipulate and alter memory to accelerate the creation of images in a frame buffer intended for output to a display device. GPUs are used in embedded systems, mobile phones, personal computers, workstations, and game consoles and are typically efficient at handling many repetitive tasks simultaneously. This makes them well-suited for tasks like image processing, 3D rendering, and machine learning computations. More recently, they are being used to process large language models (LLMs) for AI.
Data Processing Unit
A DPU is a specialized hardware component designed to accelerate data processing tasks in computing systems. DPUs are typically used in data centers to offload and accelerate specific workloads, such as networking, storage, or security functions. By handling tasks separately from the main CPU, they can improve performance, reduce latency, and increase efficiency. SmartNICs are used in a similar way for offloading purposes to achieve accelerated network processing.
Specialized Security Computing
These general-purpose computing elements have dramatically increased in speed over the past decade, however they still lack the ability to support many basic security processing functions. While different software components may be able to help the CPU, specialized security-focused tasks are still something that cannot be accelerated well by these commercial off-the-shelf components. Fortinet is the first vendor to develop custom ASICs explicitly designed to support critical security functions. We have been developing specialized versions of these ASICs for 20+ years, and most importantly, we have developed the software and operating system (FortiOS) needed to make them all work together at high speed.
Let’s take a look at the portfolio of specialized processors we have developed:
Fortinet Network Processor Generation 7 (NP7)
The seventh generation of the Fortinet network processor is close to being a standalone 200Gbit/s firewall. The NP7 can handle all stateful firewall traffic. Beyond this core functionality, it can protect against distributed denial-of-service attacks, provide IPsec at 100Gbps rates, and even support elephant flows, which are a big problem for many systems. NP7 platforms are also sometimes used by service providers for carrier-grade NAT with a hyperscale license to accelerate hardware sessions and provide logging offload, ensuring accurate logging no matter the circumstance.
Fortinet Content Processor Generation 10 (CP10)
The tenth generation of the Fortinet content processor acts very much like a GPU by offloading the CPU for complex calculations. In this case, the CP10 content processor inspects the content for malicious behavior. A good example of this is looking for network packets trying to exploit a vulnerability via intrusion prevention systems (IPS). CP10 helps to accelerate the IPS function by performing accelerated pattern matching and correlation, increasing IPS performance by 2x of the previous CP9.
Fortinet Security Processing Unit Generation 5 (SP5)
The third ASIC in the family is the FortiSP5, our fifth-generation SPU. The SP5 is a high-performance, flexible ASIC that can be used in three ways:
1. Full System-on-a-Chip (SoC), including CPU, NP, and CP functionality, for entry-level FortiGates such as the FortiGate 90G
2. As an NP Lite for some mid-range FortiGates
3. As a CP for all FortiGate models
To benchmark the security processing performance, we gather data sheet specifications from different vendors to calculate a general Security Compute Rating for each function. The latest FortiGate model to be released with the SP5 is the 200G. It leverages the SP5 in two ways: as an NP7 Lite and as a CP10.
Fortinet SPUs outpace other solutions with the highest Security Compute Ratings for benchmarks such as:
- Stateful firewall throughput
- IPsec VPN performance
- Concurrent sessions
- Sessions per second
- Inspection of encrypted data
- Power-efficiency
Like all other SP5-based FortiGate models, the 200G can accelerate 14 different applications, which would be impossible using a standard CPU.
| Specification | FortiGate 200G series | Security Compute Rating |
Industry Average | Palo Alto Networks PA-1410 series |
Cisco Meraki MX series |
Check Point Quantum 3800 series | Juniper SRX345 series |
|---|---|---|---|---|---|---|---|
| Firewall Throughput | 39 Gbps | 7x | 5.9 Gbps | 8.5 Gbps | 6.0 Gbps | 4.0 Gbps | 5.0 Gbps |
| IPSec VPN | 35 Gbps | 16x | 2.3 Gbps | 4.1 Gbps | 1.2 Gbps | 2.8 Gbps | 1.0 Gbps |
| Threat Protection | 6.4 Gbps | 2x | 2.9 Gbps | 4.2 Gbps | - | 1.5 Gbps | - |
| Concurrent Sessions | 11M | 8x | 1.43M | 945K | 4K | 4M | 375K |
| Connections/ Second |
390K | 6x | 68.7K | 100K | 100K | 60K | 15K |
| Power Consumption | FortiGate 200G series | Energy Efficiency | Industry Average | Palo Alto Networks PA-1410 series |
Cisco Meraki MX series |
Check Point Quantum 3800 series | Juniper SRX345 series |
| Watts/Gbps Firewall Throughput | 4.5 W | 4x | 18.0 W | 21.2 W | 16.7 W | 10.0 W | 24.4 W |
| Watts/Gbps IPsec VPN Throughput | 5.0 W | 13x | 67.0 W | 43.9 W | 83.3 W | 14.6 W | 125.8 W |
| BTU/h per Gbps of Firewall Throughput | 15.4 BTU | 4x | 61 BTU | 72.1 BTU | 56.8 BTU | 30.8 BTU | 84.4 BTU |
This table compares the top firewalls on the market against the target performance numbers of the FortiGate 200G series, which leverages the SP5.
Additionally, the power efficiency of the FortiGate 200G is 4x the industry average. With some customers deploying hundreds, even thousands, of these devices, those power savings really add up. For equivalent performance, many competitive models in this price range are 2U rather than 1U boxes, which can use up rack space and require additional cooling to keep them running efficiently.
Summary
Although not as well-known as the GPU, the SPU has a similar objective: offloading the CPU or, in some cases, becoming a SoC to completely replace the CPU. At the end of the day, the role of GPUs and SPUs is to accelerate critical functions to keep up with application and environmental demands. When it comes to security and the rate at which a cyber incident can occur, speed is of the essence. Traditional security devices that rely on general-purpose CPUs simply cannot keep up, meaning you pay significantly more for equivalent performance.
With network performance and security demands continuing to grow and the rate of cyberthreats escalating, it is essential that your security solutions are able to stay ahead of your cyber adversaries.
Set up a call with your Fortinet representative for a demonstration of the power and performance of the industry’s only SPU-enhanced security solutions.
