Fortinet Document Library

Version:

Version:

Version:

Version:

Version:


Table of Contents

Hardware Acceleration

IPSA offloads flow-based advanced pattern matching

IPSA offloads advanced or enhanced pattern matching operations required for flow-based content processing to CP8 and CP9 Content Processors. IPSA offloads enhanced pattern matching for NTurbo firewall sessions and firewall sessions that are not offloaded to NP processors. When IPSA is turned on, flow-based pattern databases are compiled and downloaded to the content processors from the IPS engine and IPS database. Flow-based pattern matching requests are redirected to the CP hardware reducing the load on the FortiGate CPU and accelerating pattern matching.

IF IPSA is supported on your FortiGate unit, you can use the following command to configure it:

config ips global

set cp-accel-mode {advanced | basic | none}

end

basic offloads basic pattern matching. advanced offloads more types of pattern matching resulting in higher throughput than basic mode. advanced is only available on FortiGate models with two or more CP8s or one or more CP9s. If the cp-accel-mode option is not available, then your FortiGate does not support IPSA.

On FortiGates with one CP8, the default cp-accel-mode is basic. Setting the mode to advanced does not change the types of pattern matching that are offloaded.

On FortiGates with two or more CP8s or one or more CP9s the default cp-accel-mode is advanced. You can set the mode to basic to offload fewer types of pattern matching.

IPSA offloads flow-based advanced pattern matching

IPSA offloads advanced or enhanced pattern matching operations required for flow-based content processing to CP8 and CP9 Content Processors. IPSA offloads enhanced pattern matching for NTurbo firewall sessions and firewall sessions that are not offloaded to NP processors. When IPSA is turned on, flow-based pattern databases are compiled and downloaded to the content processors from the IPS engine and IPS database. Flow-based pattern matching requests are redirected to the CP hardware reducing the load on the FortiGate CPU and accelerating pattern matching.

IF IPSA is supported on your FortiGate unit, you can use the following command to configure it:

config ips global

set cp-accel-mode {advanced | basic | none}

end

basic offloads basic pattern matching. advanced offloads more types of pattern matching resulting in higher throughput than basic mode. advanced is only available on FortiGate models with two or more CP8s or one or more CP9s. If the cp-accel-mode option is not available, then your FortiGate does not support IPSA.

On FortiGates with one CP8, the default cp-accel-mode is basic. Setting the mode to advanced does not change the types of pattern matching that are offloaded.

On FortiGates with two or more CP8s or one or more CP9s the default cp-accel-mode is advanced. You can set the mode to basic to offload fewer types of pattern matching.