Fixes to NTurbo and IPSA and IPSA offloads flow-based pattern matching. More information about NP7 traffic shaping added to NP7 traffic shaping. Added a disclaimer to CP9, CP9XLite, and CP9Lite capabilities.

New sections:

• diagnose sys session list and no_ofld_reason field (NP7 session information).

• diagnose sys session list no_ofld_reason field.

Previous versions of this document incorrectly stated that NP6 processors support offloading DoS policy sessions. This has been corrected throughout the document as required.

Changes to config hpe and the HPE section of Configuring individual NP6 processors.

Corrections to FortiGate 400E Bypass fast path architecture. Added information about NP6 processor support of DoS protection and offloading DoS policies.

New sections:

• Allowing offloaded IPsec packets that exceed the interface MTU.

• FortiGate 400E Bypass fast path architecture.

Renamed the section: Configuring NP7 queue protocol prioritization. New section Default NP7 queue protocol prioritization configuration.

Corrections to Disabling NP offloading for firewall policies and Disabling nTurbo for firewall policies.

Moved information about improving CPS performance to sections describing the following FortiGate models that support this feature:

• FortiGate 1200D fast path architecture.

• FortiGate 1500D fast path architecture.

• FortiGate 1500DT fast path architecture.

Updated the following sections to add information about splitting interfaces:

• FortiGate 4200F and 4201F fast path architecture.

• FortiGate 4400F and 4401F fast path architecture.

Corrections to FortiGate 80F, 81F, and 80F Bypass fast path architecture.

Changes to policy-offload-level {disable | dos-offload | full-offload}.

Correction to Disabling NP offloading for firewall policies.

New section Disabling nTurbo for firewall policies.

Removed the incorrect section "Disabling CP offloading for firewall policies".

Added more information about the NP6XLite processor to Network processors (NP7, NP6, NP6XLite, NP6Lite, and NP4) and NP6XLite processors.

More information added to NP6 session drift.

Updates to the following sections:

• FortiGate 1800F and 1801F fast path architecture.

• FortiGate 2600F and 2601F fast path architecture.

• FortiGate 4200F and 4201F fast path architecture.

• FortiGate 4400F and 4401F fast path architecture.

Fixes to NP6 session drift. Removed the information about CP9 support for a true random number generator and entropy source from CP9, CP9XLite, and CP9Lite capabilities.

New section: NP acceleration, virtual clustering, and VLAN MAC addresses.

Updated NTurbo offloads flow-based processing to clarify that NTurbo also applies to IPsec VPN sessions.

Corrected errors in the section FortiGate 100F and 101F fast path architecture.

Included NP7 in the statement "Maximum frame size for NP2, NP4, NP6, and NP7 processors is 9216 bytes." in the section Network processors (NP7, NP6, NP6XLite, NP6Lite, and NP4).

Corrected integrated switch fabric information in the following sections:

• FortiGate 300E and 301E fast path architecture.

• FortiGate 400E and 401E fast path architecture.

• FortiGate 500E and 501E fast path architecture.

• FortiGate 600E and 601E fast path architecture.

New sections:

• What's new for FortiGates with NP7 processors for FortiOS 6.2.7.

• Bandwidth control for NPU accelerated VDOM link interfaces.

• Controlling the maximum outgoing VLAN bandwidth.

• Distributing HA session synchronization packets to multiple CPUs.

• hash-tbl-spread (disable | enable}.

New options added to config hpe.

Added a bullet point about NP7 support for offloading, including IPsec traffic, over a loopback interface to NP7 session fast path requirements.

New sections:

• FPM-7630E fast path architecture.

• FortiGate-7121F fast path architecture.

• FIM-7921F fast path architecture.

• FPM-7620F fast path architecture.

Improved the information in Supporting IPsec anti-replay protection.

Corrected the output of the get hardware npu np6 port-list command in FortiGate 3600E and 3601E fast path architecture.

Added protocol 97 (ETHERIP or EoIP) to Protocols that can be offloaded by NP7 processors. Improved integration with the Hyperscale Firewall Guide.

Added information about the following new command options, see Configuring NP7 processors for details.

config system npu

set gtp-support {disable | enable}

config tcp-timeout-profile

config udp-timeout-profile

config dsw-dts-profile

config dsw-queue-dts-profile

config np-queues

end

Removed NP7 hyperscale firewall content. A new standalone Hyperscale Firewall Guide is now available.

Updated the architecture sections for most E and F models to include more information about management/HA and data processing separation. For example, see the following:

• FortiGate 1800F and 1801F fast path architecture.

• FortiGate 1100E and 1101E fast path architecture.

• FortiGate 200F and 201F fast path architecture.

• FortiGate 200E and 201E fast path architecture.

New section: FortiGate 2600F and 2601F fast path architecture.

Corrected names of encryption and authentication algorithms in NP7 session fast path requirements.

Corrected the get hardware npu np6 port-list command output in FortiGate 1100E and 1101E fast path architecture.

New section: Protocols that can be offloaded by NP7 processors.

More information and corrections about SOC4 (NP6XLite and CP9XLite) and SOC3 (NP6Lite and CP9Lite).

• Network processors (NP7, NP6, NP6XLite, NP6Lite, and NP4).

• NP6XLite processors.

• NP6Lite processors.

• Content processors (CP9, CP9XLite, CP9Lite).

• FortiGate 60F and 61F fast path architecture.

• FortiGate 80F, 81F, and 80F Bypass fast path architecture.

• FortiGate 100F and 101F fast path architecture.

• FortiGate 100E and 101E fast path architecture.

• FortiGate 200E and 201E fast path architecture.

FortiGate-4400F/4401F changes:

• New section: FortiGate 4400F and 4401F fast path architecture.
• Changes to the config system npu command:
  • Configuring NP7 processors.
  • Configuring NP7 processors.
  • Configuring NP7 processors.
  • Configuring NP7 processors.
  • Configuring NP7 processors.

Misc. changes and fixes.

Added bypass interface information to FortiGate 800D fast path architecture. Minor improvements to the bypass interface information in FortiGate 2500E fast path architecture.

New section: FortiGate 80F, 81F, and 80F Bypass fast path architecture.

Moved NP7 port mapping to individual sections in FortiGate NP7 architectures.

Improved information about how for NP7 and many more recent NP6 fast path architectures the HA interfaces are not connected to the NP7 or NP6 processors. New section: FortiGate 1800F and 1801F fast path architecture. Information about bypass mode added to FortiGate 2500E fast path architecture. Corrected the output of the diagnose npu np6 port-list command in FortiGate 3960E fast path architecture.

Hardware architectures changed:

• FortiGate 500E and 501E fast path architecture.
• FortiGate 600E and 601E fast path architecture.

Added NP6XLite content.

Hardware architectures added:

• FortiGate 60F and 61F fast path architecture.
• FortiGate 100F and 101F fast path architecture.
• FortiGate 100E and 101E fast path architecture.

Added a note about NP6 processors and traffic shaping counters to NP6 processors and traffic shaping.

Information about setting interface speeds added to FortiGate 3400E and 3401E fast path architecture and FortiGate 3600E and 3601E fast path architecture.

Minor fixes to the NP7 content.

NP7 content added. The NP7 features described in this document are supported by the FortiGate-4200F and 4201F running FortiOS 6.2.3 build 6560.

• NP7 acceleration.
• .
• .
• FortiGate 4200F and 4201F fast path architecture.

Corrected the get hardware npu np6 port-list output in FortiGate 3400E and 3401E fast path architecture.

Added information about interface groups for the following models:

• FortiGate 1100E and 1101E fast path architecture.
• FortiGate 2200E and 2201E fast path architecture.
• FortiGate 3400E and 3401E fast path architecture.
• FortiGate 3600E and 3601E fast path architecture.
• FortiGate-6000 series.

Added a note about ESP in UDP sessions (UDP port 4500) not been offloaded by NP6 processors to NP6 session fast path requirements.

Corrections to Dedicated management CPU.

Changes to Disabling NP6, NP6XLite, and NP6Lite hardware acceleration (fastpath).

FortiOS 6.2.4 document release. New feature: NTurbo support for DoS policies, see NTurbo offloads flow-based processing.

New and improved sections:

• Interface to CPU mapping.
• Multicast per-session accounting.
• Supporting IPsec anti-replay protection (new feature added to v6.2.1).
• IPv6 IPsec VPN over NPU VDOM links.
• Configuring the QoS mode for NP6-accelerated traffic.
• Recovering from an internal link failure.
• Improvements to the information about the HPE in Configuring individual NP6 processors.
• The HPE and changing BGP, SLBC, and BFD priority.
• Eliminating dropped packets on LAG interfaces.

NP6 hardware architectures added:

• FortiGate 2200E and 2201E fast path architecture.
• FortiGate 3300E and 3301E fast path architecture.
• FortiGate-6000 series.
• FortiGate-7000E platforms, starting with FortiGate-7030E fast path architecture.

Changes to the following sections to enhance information about interface, NP6, and XAUI mapping and about the HA interfaces.

• FortiGate 1100E and 1101E fast path architecture
• FortiGate 3400E and 3401E fast path architecture.
• FortiGate 3600E and 3601E fast path architecture.
• Optimizing NP6 performance by distributing traffic to XAUI links.
• Increasing NP6 offloading capacity using link aggregation groups (LAGs).

Misc edits and fixes throughout.

Added the following topics:

• FortiGate-1100E and 1101E fast path architecture.
• Improving LAG performance on some FortiGate models.

Updated Configuring individual NP6 processors topic to add link to NP6 anomaly error codes KB article.

Rearranged some topics and general cleanup.

Deleted FortiGate models not supported by this FortiOS version.

Added the following topics:

• Access control lists (ACL).
• FortiGate-400E and 401E fast path architecture.