Fortinet white logo
Fortinet white logo

Hardware Acceleration

Change log

Change log

Date

Change description

March 24, 2023

Corrections and improvements to config port-path-option.

New sections:

Added information about splitting interfaces to:

February 17, 2023

Added all relevant options and corrected the information about the NP7 hash-config option, see hash-config {src-dst-ip | 5-tuple | src-ip}.

Deleted an incorrect statement about NP7 support for SSL VPN encryption from Network processors (NP7, NP6, NP6XLite, NP6Lite, and NP4).

January 4, 2023

Corrected information about NTurbo support and interface policies, see NTurbo offloads flow-based processing.

New section: Tunneling protocols that can be offloaded by NP7 processors.

Corrected the documented default values for many of the individual traffic types monitored by NP7 HPE, see NP7 HPE for individual traffic types.

September 27, 2022

New information about NP7 DoS policy offloading limitations added to DoS policy hardware acceleration.

September 6, 2022

Added a disclaimer to CP9, CP9XLite, and CP9Lite capabilities.

August 11, 2022

Changes to the following sections:

July 26, 2022

New section: NP6 HPE host protection engine.

July 12, 2022

Fixes to NTurbo and IPSA and IPSA offloads flow-based pattern matching. More information about NP7 traffic shaping added to NP7 traffic shaping.

May 9, 2022

New sections:

Previous versions of this document incorrectly stated that NP6 processors support offloading DoS policy sessions. This has been corrected throughout the document as required.

Changes to NP7 Host Protection Engine (HPE) and the HPE section of Configuring individual NP6 processors.

April 8, 2022

Corrections to FortiGate 400E Bypass fast path architecture. Added information about NP6 processor support of DoS protection and offloading DoS policies.

April 6, 2022

New sections:

March 2, 2022

Renamed the section: Configuring NP7 queue protocol prioritization. New section Default NP7 queue protocol prioritization configuration. Correction to Disabling NP offloading for firewall policies and Disabling nTurbo for firewall policies.

December 16, 2021

Moved information about improving CPS performance to sections describing the following FortiGate models that support this feature:

Updated the following sections to add information about splitting interfaces:

Corrected the default setting and added more information to vlan-lookup-cache {disable | enable}.

December 3, 2021

Corrections to FortiGate 80F, 81F, and 80F Bypass fast path architecture.

Changes to policy-offload-level {disable | dos-offload | full-offload}.

Correction to Disabling NP offloading for firewall policies.

New section Disabling nTurbo for firewall policies.

Removed the incorrect section "Disabling CP offloading for firewall policies".

New sections:

September 17, 2021

Added more information about the NP6XLite processor to Network processors (NP7, NP6, NP6XLite, NP6Lite, and NP4) and NP6XLite processors.

More information added to NP6 session drift.

Updates to the following sections:

September 3, 2021

Improvements to the following sections:

Removed the information about CP9 support for a true random number generator and entropy source from CP9, CP9XLite, and CP9Lite capabilities.

August 27, 2021

Improvements to NP7 Host Protection Engine (HPE).

August 26, 2021

Re-wrote the information about the NP7 HPE, see NP7 Host Protection Engine (HPE). This content is still in development, if you have comments about it you can send them to techdoc@fortinet.com.

August 17, 2021

FortiOS 6.2.9 document release, see What's new for FortiGates with NP7 processors for FortiOS 6.2.9.

Updated NP6 session fast path requirements to list support for offloading UDP traffic with a destination port of 4500 (ESP-in-UDP traffic). New section: Offloading UDP-encapsulated ESP traffic.

August 12, 2021

New section: NP acceleration, virtual clustering, and VLAN MAC addresses.

August 5, 2021

Updated NTurbo offloads flow-based processing to clarify that NTurbo also applies to IPsec VPN sessions.

Corrected errors in the section FortiGate 100F and 101F fast path architecture.

June 22, 2021

Included NP7 in the statement "Maximum frame size for NP2, NP4, NP6, and NP7 processors is 9216 bytes." in the section Network processors (NP7, NP6, NP6XLite, NP6Lite, and NP4).

Corrected integrated switch fabric information in the following sections:

June 9, 2021

New sections:

New options added to NP7 Host Protection Engine (HPE).

April 12, 2021

Added a bullet point about NP7 support for offloading, including IPsec traffic, over a loopback interface to NP7 session fast path requirements.

Improved the information in Supporting IPsec anti-replay protection.

Corrected the output of the get hardware npu np6 port-list command in FortiGate 3600E and 3601E fast path architecture.

February 26, 2021

Added protocol 97 (ETHERIP or EoIP) to Protocols that can be offloaded by NP7 processors. Improved integration with the Hyperscale Firewall Guide.

Added information about the following new command options, see Configuring NP7 processors for details.

config system npu

set gtp-support {disable | enable}

config tcp-timeout-profile

config udp-timeout-profile

config dsw-dts-profile

config dsw-queue-dts-profile

config np-queues

end

February 2, 2021

Removed NP7 hyperscale firewall content. A new standalone Hyperscale Firewall Guide is now available.

Updated the architecture sections for most E and F models to include more information about management/HA and data processing separation. For example, see the following:

New section: FortiGate 2600F and 2601F fast path architecture.

Corrected names of encryption and authentication algorithms in NP7 session fast path requirements.

December 10, 2020

Corrected the get hardware npu np6 port-list command output in FortiGate 1100E and 1101E fast path architecture.

New section: Protocols that can be offloaded by NP7 processors.

November 23, 2020

More information and corrections about SOC4 (NP6XLite and CP9XLite) and SOC3 (NP6Lite and CP9Lite).

October 23, 2020

FortiGate-4400F/4401F changes:

October 16, 2020

Misc. changes and fixes.

September 30, 2020

Added bypass interface information to FortiGate 800D fast path architecture. Minor improvements to the bypass interface information in FortiGate 2500E fast path architecture.

New section: FortiGate 80F, 81F, and 80F Bypass fast path architecture.

Moved NP7 port mapping to individual sections in FortiGate NP7 architectures.

September 14, 2020

Improved information about how for NP7 and many more recent NP6 fast path architectures the HA interfaces are not connected to the NP7 or NP6 processors. New section: FortiGate 1800F and 1801F fast path architecture. Information about bypass mode added to FortiGate 2500E fast path architecture. Corrected the output of the diagnose npu np6 port-list command in FortiGate 3960E fast path architecture.

Hardware architectures changed:

August 25, 2020

Added NP6XLite content.

Hardware architectures added:

Added a note about NP6 processors and traffic shaping counters to NP6 processors and traffic shaping.

Information about setting interface speeds added to FortiGate 3400E and 3401E fast path architecture and FortiGate 3600E and 3601E fast path architecture.

July 7, 2020

Minor fixes to the NP7 content.

July 6, 2020

NP7 content added. The NP7 features described in this document are supported by the FortiGate-4200F and 4201F running FortiOS 6.2.3 build 6560.

Corrected the get hardware npu np6 port-list output in FortiGate 3400E and 3401E fast path architecture.

Added information about interface groups for the following models:

Added a note about ESP in UDP sessions (UDP port 4500) not been offloaded by NP6 processors to NP6 session fast path requirements.

Corrections to Dedicated management CPU.

Changes to Disabling NP6, NP6XLite, and NP6Lite hardware acceleration (fastpath).

May 13, 2020

FortiOS 6.2.4 document release. New feature: NTurbo support for DoS policies, see NTurbo offloads flow-based processing.

April 3, 2020

New and improved sections:

March 17, 2020

NP6 hardware architectures added:

Changes to the following sections to enhance information about interface, NP6, and XAUI mapping and about the HA interfaces.

Misc edits and fixes throughout.

2019-08-06

Added the following topics:

  • FortiGate-1100E and 1101E fast path architecture.
  • Improving LAG performance on some FortiGate models.

2019-06-05

Updated Configuring individual NP6 processors topic to add link to NP6 anomaly error codes KB article.

2019-04-08

Rearranged some topics and general cleanup.

Deleted FortiGate models not supported by this FortiOS version.

2019-04-02

Added the following topics:

  • Access control lists (ACL).
  • FortiGate-400E and 401E fast path architecture.

2019-03-28

FortiOS 6.2 document release.

Change log

Change log

Date

Change description

March 24, 2023

Corrections and improvements to config port-path-option.

New sections:

Added information about splitting interfaces to:

February 17, 2023

Added all relevant options and corrected the information about the NP7 hash-config option, see hash-config {src-dst-ip | 5-tuple | src-ip}.

Deleted an incorrect statement about NP7 support for SSL VPN encryption from Network processors (NP7, NP6, NP6XLite, NP6Lite, and NP4).

January 4, 2023

Corrected information about NTurbo support and interface policies, see NTurbo offloads flow-based processing.

New section: Tunneling protocols that can be offloaded by NP7 processors.

Corrected the documented default values for many of the individual traffic types monitored by NP7 HPE, see NP7 HPE for individual traffic types.

September 27, 2022

New information about NP7 DoS policy offloading limitations added to DoS policy hardware acceleration.

September 6, 2022

Added a disclaimer to CP9, CP9XLite, and CP9Lite capabilities.

August 11, 2022

Changes to the following sections:

July 26, 2022

New section: NP6 HPE host protection engine.

July 12, 2022

Fixes to NTurbo and IPSA and IPSA offloads flow-based pattern matching. More information about NP7 traffic shaping added to NP7 traffic shaping.

May 9, 2022

New sections:

Previous versions of this document incorrectly stated that NP6 processors support offloading DoS policy sessions. This has been corrected throughout the document as required.

Changes to NP7 Host Protection Engine (HPE) and the HPE section of Configuring individual NP6 processors.

April 8, 2022

Corrections to FortiGate 400E Bypass fast path architecture. Added information about NP6 processor support of DoS protection and offloading DoS policies.

April 6, 2022

New sections:

March 2, 2022

Renamed the section: Configuring NP7 queue protocol prioritization. New section Default NP7 queue protocol prioritization configuration. Correction to Disabling NP offloading for firewall policies and Disabling nTurbo for firewall policies.

December 16, 2021

Moved information about improving CPS performance to sections describing the following FortiGate models that support this feature:

Updated the following sections to add information about splitting interfaces:

Corrected the default setting and added more information to vlan-lookup-cache {disable | enable}.

December 3, 2021

Corrections to FortiGate 80F, 81F, and 80F Bypass fast path architecture.

Changes to policy-offload-level {disable | dos-offload | full-offload}.

Correction to Disabling NP offloading for firewall policies.

New section Disabling nTurbo for firewall policies.

Removed the incorrect section "Disabling CP offloading for firewall policies".

New sections:

September 17, 2021

Added more information about the NP6XLite processor to Network processors (NP7, NP6, NP6XLite, NP6Lite, and NP4) and NP6XLite processors.

More information added to NP6 session drift.

Updates to the following sections:

September 3, 2021

Improvements to the following sections:

Removed the information about CP9 support for a true random number generator and entropy source from CP9, CP9XLite, and CP9Lite capabilities.

August 27, 2021

Improvements to NP7 Host Protection Engine (HPE).

August 26, 2021

Re-wrote the information about the NP7 HPE, see NP7 Host Protection Engine (HPE). This content is still in development, if you have comments about it you can send them to techdoc@fortinet.com.

August 17, 2021

FortiOS 6.2.9 document release, see What's new for FortiGates with NP7 processors for FortiOS 6.2.9.

Updated NP6 session fast path requirements to list support for offloading UDP traffic with a destination port of 4500 (ESP-in-UDP traffic). New section: Offloading UDP-encapsulated ESP traffic.

August 12, 2021

New section: NP acceleration, virtual clustering, and VLAN MAC addresses.

August 5, 2021

Updated NTurbo offloads flow-based processing to clarify that NTurbo also applies to IPsec VPN sessions.

Corrected errors in the section FortiGate 100F and 101F fast path architecture.

June 22, 2021

Included NP7 in the statement "Maximum frame size for NP2, NP4, NP6, and NP7 processors is 9216 bytes." in the section Network processors (NP7, NP6, NP6XLite, NP6Lite, and NP4).

Corrected integrated switch fabric information in the following sections:

June 9, 2021

New sections:

New options added to NP7 Host Protection Engine (HPE).

April 12, 2021

Added a bullet point about NP7 support for offloading, including IPsec traffic, over a loopback interface to NP7 session fast path requirements.

Improved the information in Supporting IPsec anti-replay protection.

Corrected the output of the get hardware npu np6 port-list command in FortiGate 3600E and 3601E fast path architecture.

February 26, 2021

Added protocol 97 (ETHERIP or EoIP) to Protocols that can be offloaded by NP7 processors. Improved integration with the Hyperscale Firewall Guide.

Added information about the following new command options, see Configuring NP7 processors for details.

config system npu

set gtp-support {disable | enable}

config tcp-timeout-profile

config udp-timeout-profile

config dsw-dts-profile

config dsw-queue-dts-profile

config np-queues

end

February 2, 2021

Removed NP7 hyperscale firewall content. A new standalone Hyperscale Firewall Guide is now available.

Updated the architecture sections for most E and F models to include more information about management/HA and data processing separation. For example, see the following:

New section: FortiGate 2600F and 2601F fast path architecture.

Corrected names of encryption and authentication algorithms in NP7 session fast path requirements.

December 10, 2020

Corrected the get hardware npu np6 port-list command output in FortiGate 1100E and 1101E fast path architecture.

New section: Protocols that can be offloaded by NP7 processors.

November 23, 2020

More information and corrections about SOC4 (NP6XLite and CP9XLite) and SOC3 (NP6Lite and CP9Lite).

October 23, 2020

FortiGate-4400F/4401F changes:

October 16, 2020

Misc. changes and fixes.

September 30, 2020

Added bypass interface information to FortiGate 800D fast path architecture. Minor improvements to the bypass interface information in FortiGate 2500E fast path architecture.

New section: FortiGate 80F, 81F, and 80F Bypass fast path architecture.

Moved NP7 port mapping to individual sections in FortiGate NP7 architectures.

September 14, 2020

Improved information about how for NP7 and many more recent NP6 fast path architectures the HA interfaces are not connected to the NP7 or NP6 processors. New section: FortiGate 1800F and 1801F fast path architecture. Information about bypass mode added to FortiGate 2500E fast path architecture. Corrected the output of the diagnose npu np6 port-list command in FortiGate 3960E fast path architecture.

Hardware architectures changed:

August 25, 2020

Added NP6XLite content.

Hardware architectures added:

Added a note about NP6 processors and traffic shaping counters to NP6 processors and traffic shaping.

Information about setting interface speeds added to FortiGate 3400E and 3401E fast path architecture and FortiGate 3600E and 3601E fast path architecture.

July 7, 2020

Minor fixes to the NP7 content.

July 6, 2020

NP7 content added. The NP7 features described in this document are supported by the FortiGate-4200F and 4201F running FortiOS 6.2.3 build 6560.

Corrected the get hardware npu np6 port-list output in FortiGate 3400E and 3401E fast path architecture.

Added information about interface groups for the following models:

Added a note about ESP in UDP sessions (UDP port 4500) not been offloaded by NP6 processors to NP6 session fast path requirements.

Corrections to Dedicated management CPU.

Changes to Disabling NP6, NP6XLite, and NP6Lite hardware acceleration (fastpath).

May 13, 2020

FortiOS 6.2.4 document release. New feature: NTurbo support for DoS policies, see NTurbo offloads flow-based processing.

April 3, 2020

New and improved sections:

March 17, 2020

NP6 hardware architectures added:

Changes to the following sections to enhance information about interface, NP6, and XAUI mapping and about the HA interfaces.

Misc edits and fixes throughout.

2019-08-06

Added the following topics:

  • FortiGate-1100E and 1101E fast path architecture.
  • Improving LAG performance on some FortiGate models.

2019-06-05

Updated Configuring individual NP6 processors topic to add link to NP6 anomaly error codes KB article.

2019-04-08

Rearranged some topics and general cleanup.

Deleted FortiGate models not supported by this FortiOS version.

2019-04-02

Added the following topics:

  • Access control lists (ACL).
  • FortiGate-400E and 401E fast path architecture.

2019-03-28

FortiOS 6.2 document release.