VXLAN interfaces cannot be added to a hardware switch interface.

Apply NP7 acceleration to inter-VDOM link traffic by creating inter-VDOM links with the type set to npupair. For example:

config system vdom-link

edit <name>

set type npupair

end

Only one hardware session synch interface can be configured in an HA configuration.

The NP7 hyperscale firewall packet sniffer (diagnose npu sniffer) does not work for IPv4 or IPv6 VPN tunnel interfaces.

The config system session-ttl command is a VDOM command, configured from a VDOM. However, options set by this command apply to all CGNAT VDOMs and not just the VDOM in which they are set.

SNMP UDP traffic passing through a FortiGate is intimidatingly dropped when NP7 hardware acceleration is enabled .

In some cases a temporary performance reduction occurs when changing the firewall configuration or running some diagnose commands on a FortiGate under high traffic load.

During startup, there may be a delay as various processes start up before sessions can be sent to the NP7 processors. Sessions received during this delay that would normally be NP7 sessions may be processed by the CPU.

In some cases, SIP data sessions may be unexpectedly offloaded to NP7 processors.

If the udp-idle-timer is set to a relatively high value, a FortiGate may enter into conserve mode from running lower than expected amounts of SIP traffic.

Changing the configuration of a hardware log server group assigned to a hyperscale firewall policy that is processing traffic may cause sessions accepted by the firewall policy to be dropped.

Due to an index limit, a FortiGate may not be able to manage a FortiSwitch if the FortiGate is licensed for 500 VDOMs and you have created a large number of VDOMs (for example, over 300).

SPF interfaces with speed set to 1000full will remain down after the system restarts.

In the hyperscale firewall policy list, the GUI does not accurately display the number of bytes or packets processed by the explicit deny policy.

The NPD process crashes if a FortiGate is under relatively high traffic load and the configuration includes the maximum number of hyperscale firewall policies, as defined in the maximum values, in multiple VDOMs.

In some cases, SIP ALG traffic can cause PBA leaks and deadlocks.

While editing a hyperscale firewall policy, if you edit the IP pool configuration added to the policy and enable overload, the Endpoint Independent Mapping option in the firewall policy incorrectly remains visible. Endpoint Independent Mapping is not supported for hyperscale firewall policies with overload IP pools.

Time displayed by the real time clock may drift and become inaccurate. You can work around this issue by enabling NTP.

In some cases, in a FortiGate with multiple NP7s one of the NP7 processors can appear to be much busier than the others.

In some cases, BGP prefixes are not cleared from the routing table used by NP7 processors after they have been removed from the kernel because the peer they point to has gone down.

It may take more time than expected to install BGP prefixes in the routing table used by NP7 processors. During the delay the GUI and CLI may not be accessible.

SIP RTCP sessions accepted by hyperscale firewall policies may not be offloaded to NP7 processors.

An interface that is configured to drop fragmented packets (drop-fragment set to enable) may still forward fragmented packets.

In some cases, when the SIP session helper is enabled, some SIP traffic is offloaded to NP7 processors. SIP traffic should not be offloaded if the SIP session helper is enabled.

Hyperscale firewall policy usage statistics are not displayed on the GUI when editing the policy.