Fortinet Document Library

Version:

Version:

Version:

Version:

Version:


Table of Contents

Hardware Acceleration

CP9, CP9XLite, and CP9Lite capabilities

CP9, CP9XLite (found in SOC4), and CP9Lite (found in SOC3) content processors support mostly the same features, with a few exceptions noted below. The main difference between the processors is their capacity and throughput. For example, the CP9 has sixteen IPsec VPN engines while the CP9XLite has five and the CP9Lite has one. As a result, the CP9 can accelerate many more IPsec VPN sessions than the lite versions.

The CP9 content processor provides the following services:

  • Flow-based inspection (IPS and application control) pattern matching acceleration with over 10Gbps throughput
    • IPS pre-scan/pre-match offload
    • IPS signature correlation offload
    • Full match offload (CP9 only)
    • High throughput DFA-based deep packet inspection

  • High performance VPN bulk data engine
    • IPsec and SSL/TLS protocol processor
    • DES/3DES/AES128/192/256 in accordance with FIPS46-3/FIPS81/FIPS197
    • MD5/SHA-1/SHA256/384/512-96/128/192/256 with RFC1321 and FIPS180
    • M S/KM Generation (Hash) (CP9 only)

    • HMAC in accordance with RFC2104/2403/2404 and FIPS198
    • ESN mode
    • GCM support for NSA "Suite B" (RFC6379/RFC6460) including GCM-128/256; GMAC-128/256
  • Key exchange processor that supports high performance IKE and RSA computation
    • Public key exponentiation engine with hardware CRT support
    • Primary checking for RSA key generation
    • Handshake accelerator with automatic key material generation
    • Ring OSC entropy source

    • Elliptic curve cryptography ECC (P-256) support for NSA "Suite B" (CP9 only)
    • Sub public key engine (PKCE) to support up to 4096 bit operation directly (4k for DH and 8k for RSA with CRT)
  • DLP fingerprint support
    • Configurable Two-Thresholds-Two-Divisors (TTTD) content chunking

CP9, CP9XLite, and CP9Lite capabilities

CP9, CP9XLite (found in SOC4), and CP9Lite (found in SOC3) content processors support mostly the same features, with a few exceptions noted below. The main difference between the processors is their capacity and throughput. For example, the CP9 has sixteen IPsec VPN engines while the CP9XLite has five and the CP9Lite has one. As a result, the CP9 can accelerate many more IPsec VPN sessions than the lite versions.

The CP9 content processor provides the following services:

  • Flow-based inspection (IPS and application control) pattern matching acceleration with over 10Gbps throughput
    • IPS pre-scan/pre-match offload
    • IPS signature correlation offload
    • Full match offload (CP9 only)
    • High throughput DFA-based deep packet inspection

  • High performance VPN bulk data engine
    • IPsec and SSL/TLS protocol processor
    • DES/3DES/AES128/192/256 in accordance with FIPS46-3/FIPS81/FIPS197
    • MD5/SHA-1/SHA256/384/512-96/128/192/256 with RFC1321 and FIPS180
    • M S/KM Generation (Hash) (CP9 only)

    • HMAC in accordance with RFC2104/2403/2404 and FIPS198
    • ESN mode
    • GCM support for NSA "Suite B" (RFC6379/RFC6460) including GCM-128/256; GMAC-128/256
  • Key exchange processor that supports high performance IKE and RSA computation
    • Public key exponentiation engine with hardware CRT support
    • Primary checking for RSA key generation
    • Handshake accelerator with automatic key material generation
    • Ring OSC entropy source

    • Elliptic curve cryptography ECC (P-256) support for NSA "Suite B" (CP9 only)
    • Sub public key engine (PKCE) to support up to 4096 bit operation directly (4k for DH and 8k for RSA with CRT)
  • DLP fingerprint support
    • Configurable Two-Thresholds-Two-Divisors (TTTD) content chunking