FortiGate® 3400E Series
FG-3400E/-DC and 3401E/-DC
Next Generation Firewall | Segmentation | IPS | Mobile Security
Introduction
The FortiGate 3400E series delivers high-performance threat protection and SSL inspection for large enterprises and service providers, with the flexibility to be deployed at the enterprise/cloud edge, in the data center core or internal segments. The multiple high-speed interfaces, high port density, superior security efficacy, and high throughput of the 3400E series keep your network connected and secure.
Image shows the front view of a FortiGate 3400E or 3401E network security appliance. It is a rack-mountable device with multiple LED indicators and ports visible on the front panel, labeled with numbers 1 through 6.
Key Features
Security
- Identifies thousands of applications inside network traffic for deep inspection and granular policy enforcement.
- Protects against malware, exploits, and malicious websites in both encrypted and non-encrypted traffic.
- Prevents and detects against known and unknown attacks using continuous threat intelligence from AI-powered FortiGuard Labs security services.
Performance
- Delivers industry's best threat protection performance and ultra-low latency using purpose-built Security Processor (SPU) technology.
- Provides industry-leading performance and protection for SSL encrypted traffic.
Certification
- Independently tested and validated best security effectiveness and performance.
- Received unparalleled third-party certifications from NSS Labs.
Networking
- Delivers advanced networking capabilities that seamlessly integrate with advanced layer 7 security and virtual domains (VDOMs) to offer extensive deployment flexibility, multi-tenancy, and effective utilization of resources.
- Delivers high-density, flexible combination of various high-speed interfaces to enable best TCO for customers for data center and WAN deployments.
Management
- Includes a management console that is effective, simple to use, and provides comprehensive network automation & visibility.
- Provides Zero Touch Integration with Security Fabric's Single Pane of Glass Management.
- Predefined compliance checklist analyzes the deployment and highlights best practices to improve overall security posture.
Security Fabric
- Enables Fortinet and Fabric-ready partners' products to provide broader visibility, integrated end-to-end detection, threat intelligence sharing, and automated remediation.
Performance Summary
| Firewall | IPS | NGFW | Threat Protection |
|---|---|---|---|
| 240 Gbps | 44 Gbps | 34 Gbps | 23 Gbps |
Refer to specification table for details.
Deployment Scenarios
Next Generation Firewall (NGFW)
- Reduces complexity by combining threat protection security capabilities into a single high-performance network security appliance.
- Identifies and stops threats with powerful intrusion prevention beyond port and protocol, examining actual applications in network traffic.
- Delivers industry's highest SSL inspection performance using industry-mandated ciphers while maximizing ROI.
- Proactively blocks newly discovered sophisticated attacks in real-time with advanced threat protection.
Segmentation
- Intent-based Segmentation builds a robust security framework while proactively reducing risk, cost, and complexity.
- Integrates with Security Fabric seamlessly to allow third-party solutions and continuous trust assessment, thereby preventing sophisticated attacks.
- Protects critical business applications and helps implement any compliance without network redesigns.
IPS
- Highly cost-effective mitigation of unpatched vulnerabilities for hard-to-patch systems such as IoT, ICS, and Scada.
- Protects sensitive data to achieve various regulatory compliance such as PCI, HIPAA, PII, GDPR.
- Multiple inspection engines, threat intelligence feeds, and advanced threat protection options defend against unknown threats in real-time.
- Best-of-breed intrusion prevention with high-performance SSL inspection.
Mobile Security for 4G, 5G and IoT
- SGi LAN security powered by multiple SPUs to provide high-performance CGNAT and accelerate IPv4 and IPv6 traffic.
- RAN Access Security with highly scalable and best-performing IPsec aggregation and control security gateway (SecGW).
- User plane security enabled by full Threat Protection and visibility into GTP-U inspection.
- Signaling security to inspect various protocols such as SCTP, Diameter, GTP-C, SIP and provide protection against attacks.
- High-speed interfaces enable deployment flexibility.
Diagram illustrating a FortiGate 3400E deployment in a large campus network. It shows an Internet connection feeding into a FortiGate NGFW, which is connected to FortiAP (Secure Access Point), FortiSwitch (Switching), and FortiClient (Endpoint Protection). Management is handled by FortiManager (Single Pane-of-Glass Management) and analytics by FortiAnalyzer. The diagram emphasizes Next Generation Firewall (NGFW) and Intent-based Segmentation.
Diagram illustrating a FortiGate 3400E deployment in a data center. It shows an Internet connection feeding into a FortiGate NGFW/IPS, connected to FortiClient (VPN Client) and potentially other internal network segments. Management is handled by FortiManager (Single Pane-of-Glass Management) and analytics by FortiAnalyzer. The diagram emphasizes IPS/NGFW and Intent-based Segmentation.
Hardware
FortiGate 3400E/-DC and 3401E/-DC
Image shows the front panel of a FortiGate 3401E appliance, with numbered ports and status indicators. Below the appliance image, labels indicate key technologies: NP6 (Network Processor), CP9 (Content Processor), 100GE, 40GE, AC DUAL, DC DUAL, and 4TB (internal storage).
Interfaces
- USB Management Port
- Console Port
- 2x GE RJ45 Management Ports
- 2x 25 GE SFP28 / 10 GE SFP+ / GE SFP HA Slots
- 22x 25 GE SFP28 / 10 GE SFP+ / GE SFP Slots
- 4x 100 GE QSFP28 / 40 GE QSFP+ Slots
Powered by SPU
- Custom SPU processors deliver the power needed to detect malicious content at multi-Gigabit speeds.
- Other security technologies cannot protect against today's wide range of content- and connection-based threats because they rely on general-purpose CPUs, causing a dangerous performance gap.
- SPU processors provide the performance needed to block emerging threats, meet rigorous third-party certifications, and ensure that the network security solution does not become a network bottleneck.
Network Processor (SPU NP6)
- Fortinet's new, breakthrough SPU NP6 network processor works inline with FortiOS functions, delivering:
- Superior firewall performance for IPv4/IPv6, SCTP, and multicast traffic with ultra-low latency down to 2 microseconds.
- VPN, CAPWAP, and IP tunnel acceleration.
- Anomaly-based intrusion prevention, checksum offload, and packet defragmentation.
- Traffic shaping and priority queuing.
Content Processor (SPU CP9)
- Fortinet's new, breakthrough SPU CP9 content processor works outside the direct flow of traffic and accelerates the inspection of computationally intensive security features:
- Enhanced IPS performance with unique capability of full signature matching at SPU.
- SSL Inspection capabilities based on the latest industry-mandated cipher suites.
- Encryption and decryption offloading.
100 GE Connectivity for Network
High-speed connectivity is essential for network security segmentation at the core of data networks. The FortiGate 3400E provides multiple 100 GE QSFP28 slots, simplifying network designs without relying on additional devices to bridge desired connectivity.
Fortinet Security Fabric
Security Fabric
The Security Fabric delivers broad visibility, integrated AI-driven breach prevention, and automated operations, orchestration, and response across all Fortinet and its ecosystem deployments. It allows security to dynamically expand and adapt as more and more workloads and data are added. Security seamlessly follows and protects data, users, and applications as they move between IoT, devices, and cloud environments throughout the network. All this is tied together under a single pane of glass management to deliver leading security capabilities across the entire environment while also significantly reducing complexity.
FortiGates are the foundation of Security Fabric, expanding security via visibility and control by tightly integrating with other Fortinet security products and Fabric-Ready Partner solutions.
Diagram illustrating the Fortinet Security Fabric. It depicts a central FortiGate appliance connected to various security and networking components, including FortiClient, FortiAP, FortiSwitch, FortiNAC, FortiManager, FortiAnalyzer, FortiSIEM, FortiSandbox, FortiWeb, FortiMail, FortiADC, FortiCASB, and FortiGate VM. It also shows connections to Fabric-Ready Partner solutions and APIs, emphasizing integrated visibility, detection, and automated response across the network.
FortiOS
Control all security and networking capabilities across the entire FortiGate platform with one intuitive operating system. Reduce complexity, costs, and response time with a truly consolidated next-generation security platform.
- A truly consolidated platform with a single OS and pane-of-glass for all security and networking services across all FortiGate platforms.
- Industry-leading protection: NSS Labs Recommended, VB100, AV Comparatives, and ICSA validated security and performance. Ability to leverage latest technologies such as deception-based security.
- Control thousands of applications, block the latest exploits, and filter web traffic based on millions of real-time URL ratings in addition to true TLS 1.3 support.
- Prevent, detect, and mitigate advanced attacks automatically in minutes with integrated AI-driven breach prevention and advanced threat protection.
- Improved user experience with innovative SD-WAN capabilities and ability to detect, contain and isolate threats with Intent-based Segmentation.
- Utilize SPU hardware acceleration to boost security capability performance.
Screenshot snippet showing a FortiOS interface. It displays a network topology view with devices like 'JSmith-WinPC' connected through 'ROOT-FW1' and 'ISFW-SEG1'. Traffic status, bandwidth, and vulnerability information are presented for the device.
Services
FortiGuard™ Security Services
FortiGuard Labs offers real-time intelligence on the threat landscape, delivering comprehensive security updates across the full range of Fortinet's solutions. Comprised of security threat researchers, engineers, and forensic specialists, the team collaborates with the world's leading threat monitoring organizations and other network and security vendors, as well as law enforcement agencies.
FortiCare™ Support Services
Our FortiCare customer support team provides global technical support for all Fortinet products. With support staff in the Americas, Europe, Middle East, and Asia, FortiCare offers services to meet the needs of enterprises of all sizes.
For more information, please refer to forti.net/fortiguard and forti.net/forticare.
Specifications
Interfaces and Modules
| Interfaces and Modules | FG-3400E/-DC | FG-3401E/-DC |
|---|---|---|
| 100 GE QSFP28 / 40 GE QSFP+ Slots | 4 | 4 |
| 25 GE SFP28 / 10 GE SFP+ / GE SFP Slots | 24 | 24 |
| GE RJ45 Management Ports | 2 | 2 |
| USB Ports (Client / Server) | 1 / 1 | 1 / 1 |
| Console Port | 1 | 1 |
| Internal Storage | NIL | 2x 2 TB SSD |
| Included Transceivers | 2x SFP+ (SR 10 GE) | 2x SFP+ (SR 10 GE) |
System Performance - Enterprise Traffic Mix
| System Performance - Enterprise Traffic Mix | FG-3400E/-DC | FG-3401E/-DC |
|---|---|---|
| IPS Throughput 2 | 44 Gbps | 44 Gbps |
| NGFW Throughput 2,4 | 34 Gbps | 34 Gbps |
| Threat Protection Throughput 2,5 | 23 Gbps | 23 Gbps |
System Performance and Capacity
| System Performance and Capacity | Value |
|---|---|
| Firewall Throughput (1518 / 512 / 64 byte, UDP) | 240 / 238 / 150 Gbps |
| IPv6 Firewall Throughput (1518 / 512 / 86 byte, UDP) | 240 / 238 / 150 Gbps |
| Firewall Latency (64 byte, UDP) | 4 µs |
| Firewall Throughput (Packet per Second) | 225 Mpps |
| Concurrent Sessions (TCP) | 50 Million |
| New Sessions/Second (TCP) | 460,000 |
| Firewall Policies | 200,000 |
| IPsec VPN Throughput (512 byte) 1 | 140 Gbps |
| Gateway-to-Gateway IPsec VPN Tunnels | 40,000 |
| Client-to-Gateway IPsec VPN Tunnels | 200,000 |
| SSL-VPN Throughput | 11 Gbps |
| Concurrent SSL-VPN Users (Recommended Maximum, Tunnel Mode) | 30,000 |
| SSL Inspection Throughput (IPS, avg. HTTPS) 3 | 30 Gbps |
| SSL Inspection CPS (IPS, avg. HTTPS) 3 | 14,000 |
| SSL Inspection Concurrent Session (IPS, avg. HTTPS) 3 | 4.9 Million |
| Application Control Throughput (HTTP 64K) 2 | 86 Gbps |
| CAPWAP Throughput (HTTP 64K) | 57 Gbps |
| Virtual Domains (Default / Maximum) | 10 / 500 |
| Maximum Number of FortiSwitches Supported | 256 |
| Maximum Number of FortiAPs (Total / Tunnel Mode) | 4,096 / 2,048 |
| Maximum Number of FortiTokens | 20,000 |
| Maximum Number of Registered FortiClients | 50,000 |
| High Availability Configurations | Active / Active, Active / Passive, Clustering |
Note: All performance values are "up to" and vary depending on system configuration.
1 IPsec VPN performance test uses AES256-SHA256.
2 IPS (Enterprise Mix), Application Control, NGFW and Threat Protection are measured with Logging enabled.
3 SSL Inspection performance values use an average of HTTPS sessions of different cipher suites.
4 NGFW performance is measured with Firewall, IPS and Application Control enabled.
5 Threat Protection performance is measured with Firewall, IPS, Application Control and Malware Protection enabled.
Dimensions and Power
| Dimensions and Power | FG-3400E/-DC | FG-3401E/-DC |
|---|---|---|
| Height x Width x Length (inches) | 3.5 x 17.44 x 21.89 | |
| Height x Width x Length (mm) | 88.9 x 443 x 556 | |
| Weight | 42.9 lbs (19.5 kg) | 44.3 lbs (20.1 kg) |
| Form Factor | 2 RU | |
| AC Power Supply | 100–240V AC, 60–50 Hz | |
| DC Power Supply (FG-3400E-DC, FG-3401E-DC) | 48–72VDC | |
| Power Consumption (Average / Maximum) | 513 W / 728 W | 519 W / 750 W |
| Maximum Current | 15.2A@48V | 15.3A@48V |
| Heat Dissipation | 2484 BTU/h | 2560 BTU/h |
| Redundant Power Supplies | Yes, Hot Swappable | |
Operating Environment and Certifications
| Operating Environment and Certifications | Value |
|---|---|
| Operating Temperature | 32–104°F (0–40°C) |
| Storage Temperature | -31–158°F (-35–70°C) |
| Humidity | 10–90% non-condensing |
| Noise Level | 63 dBA |
| Operating Altitude | Up to 7,400 ft (2,250 m) |
| Compliance | FCC Part 15 Class A, C-Tick, VCCI, CE, UL/cUL, CB |
| Certifications | ICSA Labs: Firewall, IPsec, IPS, Antivirus, SSL-VPN; USGv6/IPv6 |
Order Information
Products
| Product | SKU | Description |
|---|---|---|
| FortiGate 3400E | FG-3400E | 4x 100 GE QSFP28 slots and 24x 25 GE SFP28 slots (including 22x ports, 2x HA ports), 2x GE RJ45 Management ports, SPU NP6 and CP9 hardware accelerated, and 2 AC power supplies. |
| FortiGate 3400E-DC | FG-3400E-DC | 4x 100 GE QSFP28 slots and 24x 25 GE SFP28 slots (including 22x ports, 2x HA ports), 2x GE RJ45 Management ports, SPU NP6 and CP9 hardware accelerated, and 2 DC power supplies. |
| FortiGate 3401E | FG-3401E | 4x 100 GE QSFP28 slots and 24x 25 GE SFP28 slots (including 22x ports, 2x HA ports), 2x GE RJ45 Management ports, SPU NP6 and CP9 hardware accelerated, 4 TB SSD onboard storage, and 2 AC power supplies. |
| FortiGate 3401E-DC | FG-3401E-DC | 4x 100 GE QSFP28 slots and 24x 25 GE SFP28 slots (including 22x ports, 2x HA ports), 2x GE RJ45 Management ports, SPU NP6 and CP9 hardware accelerated, 4 TB SSD onboard storage, and 2 DC power supplies. |
Optional Accessories
| Accessory | SKU | Description |
|---|---|---|
| Rack Mount Sliding Rails | SP-FG3040B-RAIL | Rack mount sliding rails for FG-1000C/-DC, FG-1200D, FG-1500D/DC, FG-3040B/-DC, FG-3140B/-DC, FG-3240C/-DC, FG-3000D/-DC, FG-3100D/-DC, FG-3200D/-DC, FG-3400/3401E, FG-3600/3601E, FG-3700D/-DC, FG-3700DX, FG-3810D/-DC and FG-3950B/-DC. |
| AC power supply | SP-FG3800D-PS | AC power supply for FG-3400/3401E, FG-3600/3601E, FG-3700D, FG-3700D-NEBS, FG-3700DX, FG-3810D and FG-3815D. |
| DC power supply | SP-FG3800D-DC-PS | DC power supply for FG-3400/3401E-DC. FG-3700D-DC, FG-3700D-DC-NEBS, FG-3810D-DC, FG-3815D-DC. |
| 100 GE QSFP28 Transceiver Module, 4 Channel Parallel Fiber, Short Range | FG-TRAN-QSFP28-SR4 | 100 GE QSFP28 transceivers, 4 channel parallel fiber, short range for all systems with QSFP28 slots. |
| 100 GE QSFP28 Transceiver Module, 4 Channel Parallel Fiber, Long Range | FG-TRAN-QSFP28-LR4 | 100 GE QSFP28 transceivers, 4 channel parallel fiber, long range for all systems with QSFP28 slots. |
| 40 GE QSFP+ Transceiver Module, Short Range | FG-TRAN-QSFP+SR | 40 GE QSFP+ transceiver module, short range for all systems with QSFP+ slots. |
| 40 GE QSFP+ Transceiver Module, Short Range BiDi | FG-TRAN-QSFP+SR-BIDI | 40 GE QSFP+ transceiver module, short range BiDi for all systems with QSFP+ slots. |
| 40 GE QSFP+ Transceiver Module, Long Range | FG-TRAN-QSFP+LR | 40 GE QSFP+ transceiver module, long range for all systems with QSFP+ slots. |
| 10 GE SFP+ Transceiver Module, Short Range | FG-TRAN-SFP+SR | 10 GE SFP+ transceiver module, short range for all systems with SFP+ and SFP/SFP+ slots. |
| 10 GE SFP+ Transceiver Module, Long Range | FG-TRAN-SFP+LR | 10 GE SFP+ transceiver module, long range for all systems with SFP+ and SFP/SFP+ slots. |
| 1 GE SFP LX Transceiver Module | FG-TRAN-LX | 1 GE SFP LX transceiver module for all systems with SFP and SFP/SFP+ slots. |
| 1 GE SFP RJ45 Transceiver Module | FG-TRAN-GC | 1 GE SFP RJ45 transceiver module for all systems with SFP and SFP/SFP+ slots. |
| 1 GE SFP SX Transceiver Module | FG-TRAN-SX | 1 GE SFP SX transceiver module for all systems with SFP and SFP/SFP+ slots. |
| 10 GE SFP+ Active Direct Attach Cable, 10m / 32.8 ft | SP-CABLE-ADASFP+ | 10 GE SFP+ active direct attach cable, 10m / 32.8 ft for all systems with SFP+ and SFP/SFP+ slots. |
| 25 GE / 10 GE Dual Rate SFP28 Transceiver Module, Short Range | FG-TRAN-SFP28-SR | 25 GE / 10 GE dual rate SFP28 transceiver module, short range for all systems with SFP28/SFP+ slots. |
| 25 GE SFP28 Transceiver Module, Long Range | FG-TRAN-SFP28-LR | 25 GE SFP28 transceiver module, long range for all systems with SFP28 slots. |
Bundles
| Bundle | 360 Protection | Enterprise Protection | UTM | Threat Protection | ASE 1 | 24x7 |
|---|---|---|---|---|---|---|
| FortiCare | ● | |||||
| FortiGuard App Control Service | ● | ● | ● | ● | ● | |
| FortiGuard IPS Service | ● | ● | ● | ● | ● | |
| FortiGuard Advanced Malware Protection (AMP) - Antivirus, Mobile Malware, Botnet, CDR, Virus Outbreak Protection and FortiSandbox Cloud Service | ● | ● | ● | ● | ● | |
| FortiGuard Web Filtering Service | ● | ● | ● | ● | ● | |
| FortiGuard Antispam Service | ● | ● | ● | ● | ● | |
| FortiGuard Security Rating Service | ● | ● | ● | ● | ● | |
| FortiGuard Industrial Service | ● | ● | ● | ● | ● | |
| FortiCASB SaaS-only Service | ● | ● | ● | ● | ||
| FortiConverter Service | ● | ● | ● | |||
| SD-WAN Cloud Assisted Monitoring 2 | ● | ● | ● | |||
| SD-WAN Overlay Controller VPN Service 2 | ● | ● | ● | |||
| FortiAnalyzer Cloud 2 | ● | ● | ● | |||
| FortiManager Cloud 2 | ● | ● | ● |
1 24x7 plus Advanced Services Ticket Handling
2 Available when running FortiOS 6.2
