Fortinet black logo

Parallel Path Processing

Copy Link
Copy Doc ID aee15d53-a99c-11e9-81a4-00505692583a:101221
Download PDF

Parallel Path Processing

Parallel Path Processing (PPP) uses the firewall policy configuration to choose from a group of parallel options to determine the optimal path for processing a packet. Most FortiOS features are applied through Firewall policies and the features applied determine the path a packet takes. Using firewall policies you can impose UTM/NGFW processing on content traffic that may contain security threats (such as HTTP, email and so on). Many UTM/NGFW processes are offloaded and accelerated by CP8 or CP9 processors. Using the policy configuration you can apply a range of protection from basic IPS attack protection that looks for network-based attacks to full scale advanced threat management (ATM), application control, antivirus, DLP and so on.

You can also create policies for traffic that does not pose security threats and bypass UTM/NGFW checking. This control allows you to improve network performance without compromising security. On FortiGates with network processors (for example the NP6) much of the traffic that does not require UTM/NGFW processing can be offloaded to the NP6 processors freeing up FortiGate processing resources for other higher risk traffic.

In addition, many FortiGate models support NTurbo to offload flow-based UTM/NGFW sessions to network processors. Flow-based sessions can also be accelerated using IPSA technology to enhance offloading of pattern matching to CP8 and CP9 content processors.

This chapter begins with an overview of packet flow ingress and egress and includes a section that shows how NP6 offloading optimizes packet flow for packets that don't require UTM/NGFW processing and for packets that use NTurbo to offload flow-based UTM/NGFW processing.

Next this chapter breaks down how packets pass through UTM/NGFW processing both for a single-pass flow-based UTM/NGFW processing and a proxy-based UTM/NGFW processing.

High-level list of processes that affect packets

In general packets passing through a FortiGate can be affected by the following processes. This is a complete high-level list of all of the processes. Not all packets see all of these processes. The processes a packet encounters depends on the type of packet and on the FortiGate software and hardware configuration.

  • Ingress packet flow
  • Network Interface
  • TCP/IP stack
  • DoS Policy
  • IP integrity header checking
  • IPsec VPN decryption
  • Admission Control
  • Quarantine
  • FortiTelemetry
  • User Authentication
  • Kernel
  • Destination NAT
  • Routing (including SD-WAN)
  • Botnet check
  • Stateful inspection/Policy Lookup/Session management
  • Session Helpers
  • User Authentication
  • Device Identification
  • SSL VPN
  • Local Management Traffic
  • UTM/NGFW
  • Flow-based inspection
    • NTurbo
    • IPSA
  • Proxy-based inspection
  • Explicit Web Proxy
  • Kernel
  • Forwarding
  • Source NAT (SNAT)
  • Egress packet flow
  • IPsec VPN Encryption
  • Traffic shaping
  • WAN Optimization
  • TCP/IP stack
  • Network Interface

Parallel Path Processing

Parallel Path Processing (PPP) uses the firewall policy configuration to choose from a group of parallel options to determine the optimal path for processing a packet. Most FortiOS features are applied through Firewall policies and the features applied determine the path a packet takes. Using firewall policies you can impose UTM/NGFW processing on content traffic that may contain security threats (such as HTTP, email and so on). Many UTM/NGFW processes are offloaded and accelerated by CP8 or CP9 processors. Using the policy configuration you can apply a range of protection from basic IPS attack protection that looks for network-based attacks to full scale advanced threat management (ATM), application control, antivirus, DLP and so on.

You can also create policies for traffic that does not pose security threats and bypass UTM/NGFW checking. This control allows you to improve network performance without compromising security. On FortiGates with network processors (for example the NP6) much of the traffic that does not require UTM/NGFW processing can be offloaded to the NP6 processors freeing up FortiGate processing resources for other higher risk traffic.

In addition, many FortiGate models support NTurbo to offload flow-based UTM/NGFW sessions to network processors. Flow-based sessions can also be accelerated using IPSA technology to enhance offloading of pattern matching to CP8 and CP9 content processors.

This chapter begins with an overview of packet flow ingress and egress and includes a section that shows how NP6 offloading optimizes packet flow for packets that don't require UTM/NGFW processing and for packets that use NTurbo to offload flow-based UTM/NGFW processing.

Next this chapter breaks down how packets pass through UTM/NGFW processing both for a single-pass flow-based UTM/NGFW processing and a proxy-based UTM/NGFW processing.

High-level list of processes that affect packets

In general packets passing through a FortiGate can be affected by the following processes. This is a complete high-level list of all of the processes. Not all packets see all of these processes. The processes a packet encounters depends on the type of packet and on the FortiGate software and hardware configuration.

  • Ingress packet flow
  • Network Interface
  • TCP/IP stack
  • DoS Policy
  • IP integrity header checking
  • IPsec VPN decryption
  • Admission Control
  • Quarantine
  • FortiTelemetry
  • User Authentication
  • Kernel
  • Destination NAT
  • Routing (including SD-WAN)
  • Botnet check
  • Stateful inspection/Policy Lookup/Session management
  • Session Helpers
  • User Authentication
  • Device Identification
  • SSL VPN
  • Local Management Traffic
  • UTM/NGFW
  • Flow-based inspection
    • NTurbo
    • IPSA
  • Proxy-based inspection
  • Explicit Web Proxy
  • Kernel
  • Forwarding
  • Source NAT (SNAT)
  • Egress packet flow
  • IPsec VPN Encryption
  • Traffic shaping
  • WAN Optimization
  • TCP/IP stack
  • Network Interface