Fortinet black logo

CLI Reference

system npu

system npu

Configure Network Processor (NP) options for FortiGates with NP6 and NP4 network processors.

Note that command availability, especially for config system npu, depends on the model used. For the purposes of documentation, the syntax provided below is from a FortiGate 1500D.

History

The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.2.

Command Description

set per-session-accounting {disable | enable-by-log | all-enable}

Configure per-session accounting for FortiGates with NP6lite processors.

The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.1.

Command Description

set fastpath {enable | disable}

Moved from config system np6. Enable or disable NP4 or NP6 offloading (also called fast path).

set iph-rsvd-re-cksum {enable | disable}

Removed from config system npu and added here. Enable or disable IP checksum re-calculation for packets with iph.reserved bit set.

The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.

Command Description

set rdp-offload {disable | enable}

New option to enable or disable NP6 RDP offloading.

config system npu
    set dedicated-management-cpu {enable | disable}   Enable to dedicate one CPU for GUI and CLI connections when NPs are busy.
    set fastpath {disable | enable}   Enable/disable NP6 offloading (also called fast path).
    set capwap-offload {enable | disable}   Enable/disable offloading managed FortiAP and FortiLink CAPWAP sessions.
    set ipsec-enc-subengine-mask {string}   IPsec encryption subengine mask (0x1 - 0xff, default 0xff).
    set ipsec-dec-subengine-mask {string}   IPsec decryption subengine mask (0x1 - 0xff, default 0xff).
    config port-npu-map
        edit {interface}
        # Configure port to NPU group mapping.
            set interface {string}   Set npu interface port to NPU group map. size[15]
            set npu-group-index {integer}   Mapping NPU group index. range[0-4294967295]
        next
    set sw-np-bandwidth {option}   Bandwidth between NP and switch
            0G  Default value. No bandwidth control.
            2G  2Gbps.
            4G  4Gbps.
            5G  5Gbps.
            6G  6Gbps.
    set strip-esp-padding {enable | disable}   Enable/disable stripping ESP padding.
    set strip-clear-text-padding {enable | disable}   Enable/disable stripping clear text padding.
    set sse-backpressure {enable | disable}   Enable/disable sse backpressure.
    set rdp-offload {enable | disable}   Enable/disable rdp offload.
    set ipsec-over-vlink {enable | disable}   Enable/disable IPSEC over vlink.
    set mcast-session-accounting {tpe-based | session-based | disable}   Enable/disable traffic accounting for each multicast session through TAE counter.
            tpe-based      Enable TPE-based multicast session accounting.
            session-based  Enable session-based multicast session accounting.
            disable        Disable multicast session accounting.
    config priority-protocol
        set bgp {enable | disable}   Enable/disable NPU BGP priority protocol.
        set slbc {enable | disable}   Enable/disable NPU SLBC priority protocol.
        set bfd {enable | disable}   Enable/disable NPU BFD priority protocol.
end

Additional information

The following section is for those options that require additional explanation.

fastpath {disable | enable}

Enable fastpath acceleration to offload sessions to the NP6 processor. You can disable fastpath if you don’t want the NP6 processor to offload sessions. Default enable.

iph-rsvd-re-cksum {disable | enable}

NP6 and the NP6lite processors clear the iph.flags.reserved bit. This results in the packet checksum becoming incorrect because the packet is changed but the checksum is not recalculated. Since the checksum is incorrect these packets may be dropped by the network stack. You can enable this option to cause the system to re-calculate the checksum. Enabling this option may cause a minor performance reduction. This option is disabled by default.

rdp-offload {disable | enable}

FortiOS supports NP6 offloading of Reliable Data Protocol (RDP) traffic. RDP is a network transport protocol that optimizes remote loading, debugging, and bulk transfer of images and data. RDP traffic uses Assigned Internet Protocol number 27 and is defined in RFC 908 and updated in RFC 1151. If your network is processing a lot of RDP traffic, offloading it can improve overall network performance.

RDP offloading is enabled by default.

dedicated-management-cpu {disable | enable}

The GUI and CLI of FortiGate units with NP6 and NP4 processors may become unresponsive when the system is under heavy processing load because NP6 or NP4 interrupts overload the CPUs preventing CPU cycles from being used for management tasks. You can improve GUI and CLI performance in this situation by enabling this option to dedicate CPU core 0 to management tasks. All management tasks are then processed by CPU 0 and NP6 or NP4 interrupts are handled by the remaining CPU cores. Disabled by default.

config port-cpu-map

Select one or more CPU cores to map to an NP6 interface. Set to all to map the NP6 interface to all CPU cores.

capwap-offload {disable | enable}

Enable offloading managed FortiAP and FortiLink CAPWAP sessions to NP6 processors. Enabled by default.

{ipsec-dec-subengine-mask | ipsec-enc-subengine-mask} <engine-mask>

Use these commands to change the number of IPsec engines used for decryption and encryption. These settings are applied to all of the NP6 processors in the FortiGate unit. <engine-mask> is a hexadecimal number in the range 0x01 to 0xff where each bit represents one IPsec engine. The default <engine-mask> is 0xff which means all IPsec engines are used. Add a lower <engine-mask> to use fewer engines for decryption or encryption. NP6 processors use multiple IPsec engines to accelerate IPsec decryption and encryption. In some cases out of order ESP packets can cause problems if multiple IPsec engines are running. To resolve this problem you can configure all of the NP6 processors to use fewer IPsec engines. to use fewer engines for decryption or encryption. NP6 processors use multiple IPsec engines to accelerate IPsec decryption and encryption. In some cases out of order ESP packets can cause problems if multiple IPsec engines are running. To resolve this problem you can configure all of the NP6 processors to use fewer IPsec engines.

np6-cps-optimization-mode {disable | enable}

Enable to operate NP6s in a mode optimized for more connections per second (CPS). Disabled by default.

per-session-accounting {all-enable | disable | enable-by-log}

Per-session accounting is a logging feature that allows the FortiGate to report the correct bytes/pkt numbers per session for sessions offloaded to an NP6lite processor. This information appears in traffic log messages as well as in FortiView. When offloaded sessions appear on the FortiView All Sessions console they include an icon identifying them as NP sessions. You can hover over the NP icon to see some information about the offloaded sessions. By default, per-session accounting is set to enable-by-log, which results in per-session accounting being turned on when you enable traffic logging in a policy. You can disable per-session accounting or select all-enable to enable per-session accounting for all sessions whether or traffic logging is enabled or not. Per-session accounting can affect NP6lite offloading performance. So you should only enable per-session accounting if you need the accounting information. Enabling per-session accounting only supports traffic log messages and does not provide traffic flow data for sFlow or NetFlow.

strip-esp-padding {disable | enable}

strip-clear-text-padding {disable | enable}

In some situations, when clear text or ESP packets in IPsec sessions may have large amounts of layer 2 padding, the NP6 IPsec engine may not be able to process them and the session may be blocked.

If you notice dropped IPsec sessions, you could try using the following CLI options to cause the NP6 processor to strip clear text padding and ESP padding before send the packets to the IPsec engine. With padding stripped, the session can be processed normally by the IPsec engine.

Use the following command to strip ESP padding:

config system npu

set strip-esp-padding enable

set strip-clear-text-padding enable

end

Stripping clear text and ESP padding are both disabled by default.

host-shortcut-mode {bi-directional | host-shortcut}

Due to NP6 internal packet buffer limitations, some offloaded packets received at a 10Gbps interface and destined for a 1Gbps interface can be dropped, reducing performance for TCP and IP tunnel traffic. If you experience this performance reduction, you can use the following command to disable offloading sessions passing from 10Gbps interfaces to 1Gbps interfaces:

config system npu

set host-shortcut-mode host-shortcut

end

Select host-shortcut to stop offloading TCP and IP tunnel packets passing from 10Gbps interfaces to 1Gbps interfaces. TCP and IP tunnel packets passing from 1Gbps interfaces to 10Gbps interfaces are still offloaded as normal.

If host-shortcut is set to the default bi-directional setting, packets in both directions are offloaded.

This option is only available if your FortiGate has 10G and 1G interfaces accelerated by NP6 processors.

sw-np-bandwidth {0G | 2G | 4G | 5G | 6G}

In some cases, the managed FortiSwitch buffer size is larger than the buffer size of the NP6 processor that receives traffic from the managed switch. If this happens, burst traffic from the managed switch may exceed the capacity of the NP6 processor and sessions may be dropped.

You can use the following command to configure bandwidth control between a managed FortiSwitch and an NP6 processor. Enabling bandwidth control can smooth burst traffic and keep the NP6 from getting overwhelmed and dropping sessions.

Use the following command to enable bandwidth control:

config system npu

set sw-np-bandwidth {0G | 2G | 4G | 5G | 6G}

end

The default setting is 0G which means no bandwidth control. The other options limit the bandwidth to 2Gbps, 4Gbps and so on.

Supporting single large traffic streams

FortiGate devices with multiple NP6 processors support high throughput by distributing sessions to multiple NP6 processors. However, default ISF hash-based load balancing has some limitations for single traffic streams or flows that use more than 10Gbps of bandwidth. Normally, the ISF sends all of the packets in a single traffic stream over the same 10Gbps interface to an NP6 processor. If a single traffic stream is larger than 10Gbps, packets are also sent to 10Gbps interfaces that may be connected to the same NP6 or to other NP6s. Because the ISF uses hash-bsed load balancing, this can lead to packets being processed out of order and other potential drawbacks.

FortiGate-39x0E models (currently the 3960E and 3980E) can be configured to support single traffic flows that are larger than 10Gbps. To enable this feature, you can assign interfaces to round robin groups using the following configuration. If you assign an interface to a Round Robin group, the ISF uses round-robin load balancing to distribute incoming traffic from one stream to multiple NP6 processors. Round-robin load balancing prevents the potential problems associated with hash-based load balancing of packets from a single stream.

config system npu

config port-npu-map

edit <interface>

set npu-group-index <npu-group>

end

end

<interface> is the name of an interface that receives or sends large traffic streams.

<npu-group> is the number of an NPU group.To enable round-robin load balancing select a round-robin NPU group. Use ? to see the list of NPU groups. The output shows which groups support round robin load balancing. For example, the following output shows that NPU group 30 supports round robin load balancing to NP6 0 to 7.

set npu-group-index ?
index: npu group
0 : NP#0-7
2 : NP#0
3 : NP#1
4 : NP#2
5 : NP#3
6 : NP#4
7 : NP#5
8 : NP#6
9 : NP#7
10 : NP#0-1
11 : NP#2-3
12 : NP#4-5
13 : NP#6-7
14 : NP#0-3
15 : NP#4-7
30 : NP#0-7 - Round Robin

For example, use the following command to assign port1, port2, port17 and port18 to NPU group 30.

config system npu

config port-npu-map

edit port1

set npu-group-index 30

next

edit port2

set npu-group-index 30

next

edit port7

set npu-group-index 30

next

edit port18

set npu-group-index 30

next

end

end

Improving LAG performance on some FortiGate models

Some FortiGate models support the following command that might improve link aggregation (LAG) performance by reducing the number of dropped packets that can occur with some LAG configurations.

config system npu

set lag-sw-out-trunk {disable | enable}

end

If you notice NP6- accelerated LAG interface performance is lower than expected or if you notice excessive dropped packets for sessions over LAG interfaces, you could see if your FortiGate has this option and if available try enabling it and see if performance improves.

system npu

Configure Network Processor (NP) options for FortiGates with NP6 and NP4 network processors.

Note that command availability, especially for config system npu, depends on the model used. For the purposes of documentation, the syntax provided below is from a FortiGate 1500D.

History

The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.2.

Command Description

set per-session-accounting {disable | enable-by-log | all-enable}

Configure per-session accounting for FortiGates with NP6lite processors.

The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.1.

Command Description

set fastpath {enable | disable}

Moved from config system np6. Enable or disable NP4 or NP6 offloading (also called fast path).

set iph-rsvd-re-cksum {enable | disable}

Removed from config system npu and added here. Enable or disable IP checksum re-calculation for packets with iph.reserved bit set.

The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.

Command Description

set rdp-offload {disable | enable}

New option to enable or disable NP6 RDP offloading.

config system npu
    set dedicated-management-cpu {enable | disable}   Enable to dedicate one CPU for GUI and CLI connections when NPs are busy.
    set fastpath {disable | enable}   Enable/disable NP6 offloading (also called fast path).
    set capwap-offload {enable | disable}   Enable/disable offloading managed FortiAP and FortiLink CAPWAP sessions.
    set ipsec-enc-subengine-mask {string}   IPsec encryption subengine mask (0x1 - 0xff, default 0xff).
    set ipsec-dec-subengine-mask {string}   IPsec decryption subengine mask (0x1 - 0xff, default 0xff).
    config port-npu-map
        edit {interface}
        # Configure port to NPU group mapping.
            set interface {string}   Set npu interface port to NPU group map. size[15]
            set npu-group-index {integer}   Mapping NPU group index. range[0-4294967295]
        next
    set sw-np-bandwidth {option}   Bandwidth between NP and switch
            0G  Default value. No bandwidth control.
            2G  2Gbps.
            4G  4Gbps.
            5G  5Gbps.
            6G  6Gbps.
    set strip-esp-padding {enable | disable}   Enable/disable stripping ESP padding.
    set strip-clear-text-padding {enable | disable}   Enable/disable stripping clear text padding.
    set sse-backpressure {enable | disable}   Enable/disable sse backpressure.
    set rdp-offload {enable | disable}   Enable/disable rdp offload.
    set ipsec-over-vlink {enable | disable}   Enable/disable IPSEC over vlink.
    set mcast-session-accounting {tpe-based | session-based | disable}   Enable/disable traffic accounting for each multicast session through TAE counter.
            tpe-based      Enable TPE-based multicast session accounting.
            session-based  Enable session-based multicast session accounting.
            disable        Disable multicast session accounting.
    config priority-protocol
        set bgp {enable | disable}   Enable/disable NPU BGP priority protocol.
        set slbc {enable | disable}   Enable/disable NPU SLBC priority protocol.
        set bfd {enable | disable}   Enable/disable NPU BFD priority protocol.
end

Additional information

The following section is for those options that require additional explanation.

fastpath {disable | enable}

Enable fastpath acceleration to offload sessions to the NP6 processor. You can disable fastpath if you don’t want the NP6 processor to offload sessions. Default enable.

iph-rsvd-re-cksum {disable | enable}

NP6 and the NP6lite processors clear the iph.flags.reserved bit. This results in the packet checksum becoming incorrect because the packet is changed but the checksum is not recalculated. Since the checksum is incorrect these packets may be dropped by the network stack. You can enable this option to cause the system to re-calculate the checksum. Enabling this option may cause a minor performance reduction. This option is disabled by default.

rdp-offload {disable | enable}

FortiOS supports NP6 offloading of Reliable Data Protocol (RDP) traffic. RDP is a network transport protocol that optimizes remote loading, debugging, and bulk transfer of images and data. RDP traffic uses Assigned Internet Protocol number 27 and is defined in RFC 908 and updated in RFC 1151. If your network is processing a lot of RDP traffic, offloading it can improve overall network performance.

RDP offloading is enabled by default.

dedicated-management-cpu {disable | enable}

The GUI and CLI of FortiGate units with NP6 and NP4 processors may become unresponsive when the system is under heavy processing load because NP6 or NP4 interrupts overload the CPUs preventing CPU cycles from being used for management tasks. You can improve GUI and CLI performance in this situation by enabling this option to dedicate CPU core 0 to management tasks. All management tasks are then processed by CPU 0 and NP6 or NP4 interrupts are handled by the remaining CPU cores. Disabled by default.

config port-cpu-map

Select one or more CPU cores to map to an NP6 interface. Set to all to map the NP6 interface to all CPU cores.

capwap-offload {disable | enable}

Enable offloading managed FortiAP and FortiLink CAPWAP sessions to NP6 processors. Enabled by default.

{ipsec-dec-subengine-mask | ipsec-enc-subengine-mask} <engine-mask>

Use these commands to change the number of IPsec engines used for decryption and encryption. These settings are applied to all of the NP6 processors in the FortiGate unit. <engine-mask> is a hexadecimal number in the range 0x01 to 0xff where each bit represents one IPsec engine. The default <engine-mask> is 0xff which means all IPsec engines are used. Add a lower <engine-mask> to use fewer engines for decryption or encryption. NP6 processors use multiple IPsec engines to accelerate IPsec decryption and encryption. In some cases out of order ESP packets can cause problems if multiple IPsec engines are running. To resolve this problem you can configure all of the NP6 processors to use fewer IPsec engines. to use fewer engines for decryption or encryption. NP6 processors use multiple IPsec engines to accelerate IPsec decryption and encryption. In some cases out of order ESP packets can cause problems if multiple IPsec engines are running. To resolve this problem you can configure all of the NP6 processors to use fewer IPsec engines.

np6-cps-optimization-mode {disable | enable}

Enable to operate NP6s in a mode optimized for more connections per second (CPS). Disabled by default.

per-session-accounting {all-enable | disable | enable-by-log}

Per-session accounting is a logging feature that allows the FortiGate to report the correct bytes/pkt numbers per session for sessions offloaded to an NP6lite processor. This information appears in traffic log messages as well as in FortiView. When offloaded sessions appear on the FortiView All Sessions console they include an icon identifying them as NP sessions. You can hover over the NP icon to see some information about the offloaded sessions. By default, per-session accounting is set to enable-by-log, which results in per-session accounting being turned on when you enable traffic logging in a policy. You can disable per-session accounting or select all-enable to enable per-session accounting for all sessions whether or traffic logging is enabled or not. Per-session accounting can affect NP6lite offloading performance. So you should only enable per-session accounting if you need the accounting information. Enabling per-session accounting only supports traffic log messages and does not provide traffic flow data for sFlow or NetFlow.

strip-esp-padding {disable | enable}

strip-clear-text-padding {disable | enable}

In some situations, when clear text or ESP packets in IPsec sessions may have large amounts of layer 2 padding, the NP6 IPsec engine may not be able to process them and the session may be blocked.

If you notice dropped IPsec sessions, you could try using the following CLI options to cause the NP6 processor to strip clear text padding and ESP padding before send the packets to the IPsec engine. With padding stripped, the session can be processed normally by the IPsec engine.

Use the following command to strip ESP padding:

config system npu

set strip-esp-padding enable

set strip-clear-text-padding enable

end

Stripping clear text and ESP padding are both disabled by default.

host-shortcut-mode {bi-directional | host-shortcut}

Due to NP6 internal packet buffer limitations, some offloaded packets received at a 10Gbps interface and destined for a 1Gbps interface can be dropped, reducing performance for TCP and IP tunnel traffic. If you experience this performance reduction, you can use the following command to disable offloading sessions passing from 10Gbps interfaces to 1Gbps interfaces:

config system npu

set host-shortcut-mode host-shortcut

end

Select host-shortcut to stop offloading TCP and IP tunnel packets passing from 10Gbps interfaces to 1Gbps interfaces. TCP and IP tunnel packets passing from 1Gbps interfaces to 10Gbps interfaces are still offloaded as normal.

If host-shortcut is set to the default bi-directional setting, packets in both directions are offloaded.

This option is only available if your FortiGate has 10G and 1G interfaces accelerated by NP6 processors.

sw-np-bandwidth {0G | 2G | 4G | 5G | 6G}

In some cases, the managed FortiSwitch buffer size is larger than the buffer size of the NP6 processor that receives traffic from the managed switch. If this happens, burst traffic from the managed switch may exceed the capacity of the NP6 processor and sessions may be dropped.

You can use the following command to configure bandwidth control between a managed FortiSwitch and an NP6 processor. Enabling bandwidth control can smooth burst traffic and keep the NP6 from getting overwhelmed and dropping sessions.

Use the following command to enable bandwidth control:

config system npu

set sw-np-bandwidth {0G | 2G | 4G | 5G | 6G}

end

The default setting is 0G which means no bandwidth control. The other options limit the bandwidth to 2Gbps, 4Gbps and so on.

Supporting single large traffic streams

FortiGate devices with multiple NP6 processors support high throughput by distributing sessions to multiple NP6 processors. However, default ISF hash-based load balancing has some limitations for single traffic streams or flows that use more than 10Gbps of bandwidth. Normally, the ISF sends all of the packets in a single traffic stream over the same 10Gbps interface to an NP6 processor. If a single traffic stream is larger than 10Gbps, packets are also sent to 10Gbps interfaces that may be connected to the same NP6 or to other NP6s. Because the ISF uses hash-bsed load balancing, this can lead to packets being processed out of order and other potential drawbacks.

FortiGate-39x0E models (currently the 3960E and 3980E) can be configured to support single traffic flows that are larger than 10Gbps. To enable this feature, you can assign interfaces to round robin groups using the following configuration. If you assign an interface to a Round Robin group, the ISF uses round-robin load balancing to distribute incoming traffic from one stream to multiple NP6 processors. Round-robin load balancing prevents the potential problems associated with hash-based load balancing of packets from a single stream.

config system npu

config port-npu-map

edit <interface>

set npu-group-index <npu-group>

end

end

<interface> is the name of an interface that receives or sends large traffic streams.

<npu-group> is the number of an NPU group.To enable round-robin load balancing select a round-robin NPU group. Use ? to see the list of NPU groups. The output shows which groups support round robin load balancing. For example, the following output shows that NPU group 30 supports round robin load balancing to NP6 0 to 7.

set npu-group-index ?
index: npu group
0 : NP#0-7
2 : NP#0
3 : NP#1
4 : NP#2
5 : NP#3
6 : NP#4
7 : NP#5
8 : NP#6
9 : NP#7
10 : NP#0-1
11 : NP#2-3
12 : NP#4-5
13 : NP#6-7
14 : NP#0-3
15 : NP#4-7
30 : NP#0-7 - Round Robin

For example, use the following command to assign port1, port2, port17 and port18 to NPU group 30.

config system npu

config port-npu-map

edit port1

set npu-group-index 30

next

edit port2

set npu-group-index 30

next

edit port7

set npu-group-index 30

next

edit port18

set npu-group-index 30

next

end

end

Improving LAG performance on some FortiGate models

Some FortiGate models support the following command that might improve link aggregation (LAG) performance by reducing the number of dropped packets that can occur with some LAG configurations.

config system npu

set lag-sw-out-trunk {disable | enable}

end

If you notice NP6- accelerated LAG interface performance is lower than expected or if you notice excessive dropped packets for sessions over LAG interfaces, you could see if your FortiGate has this option and if available try enabling it and see if performance improves.