Fortinet Document Library
Version:
7.2.0
7.0.5
7.0.1
Version:
7.0.0
6.4.9
6.4.8
Version:
6.4.6
6.4.5
6.2.9
Version:
6.2.7
6.0.0
5.6.0
Table of Contents
Hardware acceleration
Whats new
What's new for FortiGates with NP7 processors for FortiOS 6.2.7
Content processors (CP9, CP9XLite, CP9Lite)
CP9, CP9XLite, and CP9Lite capabilities
CP8 capabilities
CP6 capabilities
CP5 capabilities
CP4 capabilities
Determining the content processor in your FortiGate unit
Viewing SSL acceleration status
Security processors (SPs)
SP processing flow
Displaying information about security processing modules
Network processors (NP7, NP6, NP6XLite, NP6Lite, and NP4)
Accelerated sessions on FortiView All Sessions page
NP session offloading in HA active-active configuration
Configuring NP HMAC check offloading
Software switch interfaces and NP processors
Disabling NP offloading for firewall policies
Disabling NP offloading for individual IPsec VPN phase 1s
Disabling NP offloading for unsupported IPsec encryption or authentication algorithms
NP acceleration, virtual clustering, and VLAN MAC addresses
Determining the network processors installed in your FortiGate
NP hardware acceleration alters packet flow
NP7, NP6, NP6XLite, and NP6Lite traffic logging and monitoring
sFlow and NetFlow and hardware acceleration
Checking that traffic is offloaded by NP processors
Dedicated management CPU
Preventing packet ordering problems
Strict protocol header checking disables hardware acceleration
NTurbo and IPSA
NTurbo offloads flow-based processing
Disabling nTurbo for firewall policies
IPSA offloads flow-based advanced pattern matching
NP7 acceleration
NP7 session fast path requirements
Mixing fast path and non-fast path traffic
Protocols that can be offloaded by NP7 processors
Viewing your FortiGate NP7 processor configuration
NP7 performance optimized over KR links
Bandwidth control for NPU accelerated VDOM link interfaces
Controlling the maximum outgoing VLAN bandwidth
Per-session accounting for offloaded NP7 sessions
Enabling per-session accounting
Enabling multicast per-session accounting
Changing the per-session accounting interval
Increasing NP7 offloading capacity using link aggregation groups (LAGs)
NP7 processors and redundant interfaces
Configuring inter-VDOM link acceleration with NP7 processors
Using VLANs to add more accelerated inter-VDOM links
Confirm that the traffic is accelerated
Reassembling and offloading fragmented packets
NP7 queue-based traffic management
Disabling offloading IPsec Diffie-Hellman key exchange
Access control lists (ACLs)
DoS policy hardware acceleration
Distributing HA session synchronization packets to multiple CPUs
Configuring NP7 processors
dedicated-management-cpu {disable | enable}
ipsec-ob-np-sel {RR | packet | hash}
policy-offload-level {disable | dos-offload | full-offload}
hash-config {5T | sip}
hash-config {src-dst-ip | src-ip}
ippool-overload-low
ippool-overload-high
dse-timeout
capwap-offload {disable | enable}
default-qos-type {policing | shaping}
gtp-support {disable | enable}
per-session-accounting {disable | enable | traffic-log-only}
session-acct-interval
max-session-timeout
mcast-session-accounting {tpe-based | session-based | disable}
hash-tbl-spread (disable | enable}
inbound-dscp-copy-port
[
...]
config port-npu-map
config port-path-option
config dos-options
config tcp-timeout-profile
config udp-timeout-profile
config hpe
config priority-protocol
config fp-anomaly
config ip-reassembly
config dsw-dts-profile
config dsw-queue-dts-profile
Configuring NP7 queue protocol prioritization
Default NP7 queue protocol prioritization configuration
Changing NP7 TCP session setup
NP7 diagnose commands
diagnose npu np7 (display NP7 information)
diagnose sys session list and no_ofld_reason field (NP7 session information)
FortiGate NP7 architectures
FortiGate 1800F and 1801F fast path architecture
FortiGate 2600F and 2601F fast path architecture
FortiGate 4200F and 4201F fast path architecture
FortiGate 4400F and 4401F fast path architecture
FortiGate-7121F fast path architecture
FIM-7921F fast path architecture
FPM-7620F fast path architecture
NP6, NP6XLite, and NP6Lite acceleration
NP6 session fast path requirements
NP6XLite processors
NP6Lite processors
NP6 processors and traffic shaping
NP Direct
Viewing your FortiGate NP6, NP6XLite, or NP6Lite processor configuration
Disabling NP6, NP6XLite, and NP6Lite hardware acceleration (fastpath)
Optimizing NP6 performance by distributing traffic to XAUI links
Enabling bandwidth control between the ISF and NP6 XAUI ports to reduce the number of dropped egress packets
Increasing NP6 offloading capacity using link aggregation groups (LAGs)
NP6 processors and redundant interfaces
Improving LAG performance on some FortiGate models
Eliminating dropped packets on LAG interfaces
Configuring inter-VDOM link acceleration with NP6 processors
Using VLANs to add more accelerated inter-VDOM link interfaces
Confirm that the traffic is accelerated
IPv6 IPsec VPN over NPU VDOM links
Disabling offloading IPsec Diffie-Hellman key exchange
Supporting IPsec anti-replay protection
Access control lists (ACLs)
Configuring individual NP6 processors
The HPE and changing BGP, SLBC, and BFD priority
Per-session accounting for offloaded NP6, NP6XLite, and NP6Lite sessions
Multicast per-session accounting
Configuring NP6 session timeouts
Configure the number of IPsec engines NP6 processors use
Stripping clear text padding and IPsec session ESP padding
Disabling NP6 and NP6XLite CAPWAP offloading
Optionally disable NP6 offloading of traffic passing between 10Gbps and 1Gbps interfaces
Offloading RDP traffic
NP6 session drift
Optimizing FortiGate 3960E and 3980E IPsec VPN performance
FortiGate 3960E and 3980E support for high throughput traffic streams
Recalculating packet checksums if the iph.reserved bit is set to 0
NP6 IPsec engine status monitoring
Interface to CPU mapping
Allowing offloaded IPsec packets that exceed the interface MTU
Configuring the QoS mode for NP6-accelerated traffic
Recovering from an internal link failure
NP6 get and diagnose commands
get hardware npu np6
diagnose npu np6
diagnose npu np6 npu-feature (verify enabled NP6 features)
diagnose npu np6xlite npu-feature (verify enabled NP6Lite features)
diagnose npu np6lite npu-feature (verify enabled NP6Lite features)
diagnose sys session/session6 list (view offloaded sessions)
diagnose sys session list no_ofld_reason field
diagnose npu np6 session-stats
(number of NP6 IPv4 and IPv6 sessions)
diagnose npu np6 ipsec-stats (NP6 IPsec statistics)
diagnose npu np6 sse-stats
(number of NP6 sessions and dropped sessions)
diagnose npu np6 dce
(number of dropped NP6 packets)
diagnose hardware deviceinfo nic
(number of packets dropped by an interface)
diagnose npu np6 synproxy-stats (NP6 SYN-proxied sessions and unacknowledged SYNs)
FortiGate NP6 architectures
FortiGate 300D fast path architecture
FortiGate 300E and 301E fast path architecture
FortiGate 400D fast path architecture
FortiGate 400E and 401E fast path architecture
FortiGate 400E Bypass fast path architecture
FortiGate 500D fast path architecture
FortiGate 500E and 501E fast path architecture
FortiGate 600E and 601E fast path architecture
FortiGate 600D fast path architecture
FortiGate 800D fast path architecture
FortiGate 900D fast path architecture
FortiGate 1000D fast path architecture
FortiGate 1100E and 1101E fast path architecture
FortiGate 1200D fast path architecture
FortiGate 1500D fast path architecture
FortiGate 1500DT fast path architecture
FortiGate 2000E fast path architecture
FortiGate 2200E and 2201E fast path architecture
FortiGate 2500E fast path architecture
FortiGate 3000D fast path architecture
FortiGate 3100D fast path architecture
FortiGate 3200D fast path architecture
FortiGate 3300E and 3301E fast path architecture
FortiGate 3400E and 3401E fast path architecture
FortiGate 3600E and 3601E fast path architecture
FortiGate 3700D fast path architecture
FortiGate 3700DX fast path architecture
FortiGate 3800D fast path architecture
FortiGate 3810D fast path architecture
FortiGate 3815D fast path architecture
FortiGate 3960E fast path architecture
FortiGate 3980E fast path architecture
FortiGate-5001D fast path architecture
FortiGate-5001E and 5001E1 fast path architecture
FortiGate-6000 series
FortiController-5902D fast path architecture
FortiGate-7030E fast path architecture
FortiGate-7040E fast path architecture
FortiGate-7060E fast path architecture
FIM-7901E fast path architecture
FIM-7904E fast path architecture
FIM-7910E fast path architecture
FIM-7920E fast path architecture
FPM-7620E fast path architecture
FPM-7630E fast path architecture
FortiGate NP6XLite architectures
FortiGate 60F and 61F fast path architecture
FortiGate 80F, 81F, and 80F Bypass fast path architecture
FortiGate 100F and 101F fast path architecture
FortiGate 200F and 201F fast path architecture
FortiGate NP6Lite architectures
FortiGate 100E and 101E fast path architecture
FortiGate 200E and 201E fast path architecture
Change log
Home
FortiGate / FortiOS 6.2.7
Hardware Acceleration
Hardware Acceleration
Hardware acceleration
Whats new
What's new for FortiGates with NP7 processors for FortiOS 6.2.7
Content processors (CP9, CP9XLite, CP9Lite)
CP9, CP9XLite, and CP9Lite capabilities
CP8 capabilities
CP6 capabilities
CP5 capabilities
CP4 capabilities
Determining the content processor in your FortiGate unit
Viewing SSL acceleration status
Security processors (SPs)
SP processing flow
Displaying information about security processing modules
Network processors (NP7, NP6, NP6XLite, NP6Lite, and NP4)
Accelerated sessions on FortiView All Sessions page
NP session offloading in HA active-active configuration
Configuring NP HMAC check offloading
Software switch interfaces and NP processors
Disabling NP offloading for firewall policies
Disabling NP offloading for individual IPsec VPN phase 1s
Disabling NP offloading for unsupported IPsec encryption or authentication algorithms
NP acceleration, virtual clustering, and VLAN MAC addresses
Determining the network processors installed in your FortiGate
NP hardware acceleration alters packet flow
NP7, NP6, NP6XLite, and NP6Lite traffic logging and monitoring
sFlow and NetFlow and hardware acceleration
Checking that traffic is offloaded by NP processors
Dedicated management CPU
Preventing packet ordering problems
Strict protocol header checking disables hardware acceleration
NTurbo and IPSA
NTurbo offloads flow-based processing
Disabling nTurbo for firewall policies
IPSA offloads flow-based advanced pattern matching
NP7 acceleration
NP7 session fast path requirements
Mixing fast path and non-fast path traffic
Protocols that can be offloaded by NP7 processors
Viewing your FortiGate NP7 processor configuration
NP7 performance optimized over KR links
Bandwidth control for NPU accelerated VDOM link interfaces
Controlling the maximum outgoing VLAN bandwidth
Per-session accounting for offloaded NP7 sessions
Enabling per-session accounting
Enabling multicast per-session accounting
Changing the per-session accounting interval
Increasing NP7 offloading capacity using link aggregation groups (LAGs)
NP7 processors and redundant interfaces
Configuring inter-VDOM link acceleration with NP7 processors
Using VLANs to add more accelerated inter-VDOM links
Confirm that the traffic is accelerated
Reassembling and offloading fragmented packets
NP7 queue-based traffic management
Disabling offloading IPsec Diffie-Hellman key exchange
Access control lists (ACLs)
DoS policy hardware acceleration
Distributing HA session synchronization packets to multiple CPUs
Configuring NP7 processors
dedicated-management-cpu {disable | enable}
ipsec-ob-np-sel {RR | packet | hash}
policy-offload-level {disable | dos-offload | full-offload}
hash-config {5T | sip}
hash-config {src-dst-ip | src-ip}
ippool-overload-low
ippool-overload-high
dse-timeout
capwap-offload {disable | enable}
default-qos-type {policing | shaping}
gtp-support {disable | enable}
per-session-accounting {disable | enable | traffic-log-only}
session-acct-interval
max-session-timeout
mcast-session-accounting {tpe-based | session-based | disable}
hash-tbl-spread (disable | enable}
inbound-dscp-copy-port
[
...]
config port-npu-map
config port-path-option
config dos-options
config tcp-timeout-profile
config udp-timeout-profile
config hpe
config priority-protocol
config fp-anomaly
config ip-reassembly
config dsw-dts-profile
config dsw-queue-dts-profile
Configuring NP7 queue protocol prioritization
Default NP7 queue protocol prioritization configuration
Changing NP7 TCP session setup
NP7 diagnose commands
diagnose npu np7 (display NP7 information)
diagnose sys session list and no_ofld_reason field (NP7 session information)
FortiGate NP7 architectures
FortiGate 1800F and 1801F fast path architecture
FortiGate 2600F and 2601F fast path architecture
FortiGate 4200F and 4201F fast path architecture
FortiGate 4400F and 4401F fast path architecture
FortiGate-7121F fast path architecture
FIM-7921F fast path architecture
FPM-7620F fast path architecture
NP6, NP6XLite, and NP6Lite acceleration
NP6 session fast path requirements
NP6XLite processors
NP6Lite processors
NP6 processors and traffic shaping
NP Direct
Viewing your FortiGate NP6, NP6XLite, or NP6Lite processor configuration
Disabling NP6, NP6XLite, and NP6Lite hardware acceleration (fastpath)
Optimizing NP6 performance by distributing traffic to XAUI links
Enabling bandwidth control between the ISF and NP6 XAUI ports to reduce the number of dropped egress packets
Increasing NP6 offloading capacity using link aggregation groups (LAGs)
NP6 processors and redundant interfaces
Improving LAG performance on some FortiGate models
Eliminating dropped packets on LAG interfaces
Configuring inter-VDOM link acceleration with NP6 processors
Using VLANs to add more accelerated inter-VDOM link interfaces
Confirm that the traffic is accelerated
IPv6 IPsec VPN over NPU VDOM links
Disabling offloading IPsec Diffie-Hellman key exchange
Supporting IPsec anti-replay protection
Access control lists (ACLs)
Configuring individual NP6 processors
The HPE and changing BGP, SLBC, and BFD priority
Per-session accounting for offloaded NP6, NP6XLite, and NP6Lite sessions
Multicast per-session accounting
Configuring NP6 session timeouts
Configure the number of IPsec engines NP6 processors use
Stripping clear text padding and IPsec session ESP padding
Disabling NP6 and NP6XLite CAPWAP offloading
Optionally disable NP6 offloading of traffic passing between 10Gbps and 1Gbps interfaces
Offloading RDP traffic
NP6 session drift
Optimizing FortiGate 3960E and 3980E IPsec VPN performance
FortiGate 3960E and 3980E support for high throughput traffic streams
Recalculating packet checksums if the iph.reserved bit is set to 0
NP6 IPsec engine status monitoring
Interface to CPU mapping
Allowing offloaded IPsec packets that exceed the interface MTU
Configuring the QoS mode for NP6-accelerated traffic
Recovering from an internal link failure
NP6 get and diagnose commands
get hardware npu np6
diagnose npu np6
diagnose npu np6 npu-feature (verify enabled NP6 features)
diagnose npu np6xlite npu-feature (verify enabled NP6Lite features)
diagnose npu np6lite npu-feature (verify enabled NP6Lite features)
diagnose sys session/session6 list (view offloaded sessions)
diagnose sys session list no_ofld_reason field
diagnose npu np6 session-stats
(number of NP6 IPv4 and IPv6 sessions)
diagnose npu np6 ipsec-stats (NP6 IPsec statistics)
diagnose npu np6 sse-stats
(number of NP6 sessions and dropped sessions)
diagnose npu np6 dce
(number of dropped NP6 packets)
diagnose hardware deviceinfo nic
(number of packets dropped by an interface)
diagnose npu np6 synproxy-stats (NP6 SYN-proxied sessions and unacknowledged SYNs)
FortiGate NP6 architectures
FortiGate 300D fast path architecture
FortiGate 300E and 301E fast path architecture
FortiGate 400D fast path architecture
FortiGate 400E and 401E fast path architecture
FortiGate 400E Bypass fast path architecture
FortiGate 500D fast path architecture
FortiGate 500E and 501E fast path architecture
FortiGate 600E and 601E fast path architecture
FortiGate 600D fast path architecture
FortiGate 800D fast path architecture
FortiGate 900D fast path architecture
FortiGate 1000D fast path architecture
FortiGate 1100E and 1101E fast path architecture
FortiGate 1200D fast path architecture
FortiGate 1500D fast path architecture
FortiGate 1500DT fast path architecture
FortiGate 2000E fast path architecture
FortiGate 2200E and 2201E fast path architecture
FortiGate 2500E fast path architecture
FortiGate 3000D fast path architecture
FortiGate 3100D fast path architecture
FortiGate 3200D fast path architecture
FortiGate 3300E and 3301E fast path architecture
FortiGate 3400E and 3401E fast path architecture
FortiGate 3600E and 3601E fast path architecture
FortiGate 3700D fast path architecture
FortiGate 3700DX fast path architecture
FortiGate 3800D fast path architecture
FortiGate 3810D fast path architecture
FortiGate 3815D fast path architecture
FortiGate 3960E fast path architecture
FortiGate 3980E fast path architecture
FortiGate-5001D fast path architecture
FortiGate-5001E and 5001E1 fast path architecture
FortiGate-6000 series
FortiController-5902D fast path architecture
FortiGate-7030E fast path architecture
FortiGate-7040E fast path architecture
FortiGate-7060E fast path architecture
FIM-7901E fast path architecture
FIM-7904E fast path architecture
FIM-7910E fast path architecture
FIM-7920E fast path architecture
FPM-7620E fast path architecture
FPM-7630E fast path architecture
FortiGate NP6XLite architectures
FortiGate 60F and 61F fast path architecture
FortiGate 80F, 81F, and 80F Bypass fast path architecture
FortiGate 100F and 101F fast path architecture
FortiGate 200F and 201F fast path architecture
FortiGate NP6Lite architectures
FortiGate 100E and 101E fast path architecture
FortiGate 200E and 201E fast path architecture
Change log
6.2.7
7.2.0
7.0.5
7.0.1
7.0.0
6.4.9
6.4.8
6.4.6
6.4.5
6.2.9
6.2.7
6.0.0
5.6.0
Download PDF
Copy Link
FortiGate NP6XLite architectures
This chapter shows the NP6XLite architecture for FortiGate models that include NP6XLite processors.
FortiGate NP6XLite architectures
This chapter shows the NP6XLite architecture for FortiGate models that include NP6XLite processors.
Link
PDF
TOC
