NTurbo offloads flow-based processing
NTurbo offloads firewall sessions that include flow-based security profiles to NP7 or NP6 network processors. Without NTurbo, or with NTurbo disabled, all firewall sessions that include flow-based security profiles are processed by the FortiGate CPU. NTurbo can also offload DoS policy, access control list policy, and interface policy sessions. NTurbo can also offload IPsec sessions if the SA is offloadable (and it usually is).
NTurbo can only offload firewall sessions containing flow-based security profiles if the session could otherwise have been offloaded except for the presence of the flow-based security profiles. If something else prevents the session from being offloaded, NTurbo will not offload that session. |
Firewall sessions that include proxy-based security profiles are never offloaded to network processors and are always processed by the FortiGate CPU. |
NTurbo can offload DoS policy sessions ( |
NTurbo creates a special data path to redirect traffic from the ingress interface to IPS, and from IPS to the egress interface. NTurbo allows firewall operations to be offloaded along this path, and still allows IPS to behave as a stage in the processing pipeline, reducing the workload on the FortiGate CPU and improving overall throughput.
NTurbo sessions still offload pattern matching and other processes to CP processors, just like normal flow-based sessions. |
If NTurbo is supported by your FortiGate unit, you can use the following command to configure it:
config ips global
set np-accel-mode {basic | none}
end
basic
enables NTurbo and is the default setting for FortiGate models that support NTurbo. none
disables NTurbo. If the np-accel-mode
option is not available, then your FortiGate does not support NTurbo.
There are some special cases (listed below) where sessions may not be offloaded by NTurbo, even when NTurbo is explicitly enabled. In these cases, the sessions are handled by the FortiGate CPU.
- NP acceleration is disabled. For example,
auto-asic-offload
is disabled in the firewall policy configuration. - The firewall policy includes proxy-based security profiles.
- The sessions require FortiOS session-helpers. For example, FTP sessions can not be offloaded to NP processors because FTP sessions use the FTP session helper.
- Tunneling is enabled. Any traffic to or from a tunneled interface (IPinIP, SSL VPN, GRE, CAPWAP, etc.) cannot be offloaded by NTurbo. (However, IPsec VPN sessions can be offloaded by NTurbo if the SA can be offloaded.)