Fortinet black logo

Hardware Acceleration

NTurbo offloads flow-based processing

NTurbo offloads flow-based processing

For firewall sessions with flow-based security profiles, NTurbo offloads firewall and NAT sessions from the FortiGate CPU to NP7 or NP6 network processors. NTurbo distributes these sessions to different IPS engine processes spread across multiple CPU cores, ensuring a load-balanced approach for handling IPS signature/pattern matching tasks.

Without NTurbo, or with NTurbo disabled, all firewall and NAT processing is done by the FortiGate CPU and sessions requiring IPS signature/pattern matching are evenly distributed among multiple CPU cores using a round-robin distribution method.

Note

Firewall sessions that include proxy-based security profiles are never offloaded to network processors and are always processed by the FortiGate CPU.

NTurbo creates a special data path to redirect traffic from the ingress interface to IPS, and from IPS to the egress interface. NTurbo allows firewall operations to be offloaded along this path, and still allows IPS to behave as a stage in the processing pipeline, reducing the workload on the FortiGate CPU and improving overall throughput.

If NTurbo is supported by your FortiGate unit, you can use the following command to configure it:

config ips global

set np-accel-mode {basic | none}

end

basic enables NTurbo and is the default setting for FortiGate models that support NTurbo. none disables NTurbo. If the np-accel-mode option is not available, then your FortiGate does not support NTurbo.

There are some special cases (listed below) where sessions may not be offloaded by NTurbo, even when NTurbo is explicitly enabled. In these cases, the sessions are handled by the FortiGate CPU.

  • NP acceleration is disabled. For example, auto-asic-offload is disabled in the firewall policy configuration.
  • The firewall policy includes proxy-based security profiles.
  • The sessions require FortiOS session-helpers. For example, FTP sessions can not be offloaded to NP processors because FTP sessions use the FTP session helper.
  • Tunneling is enabled. Any traffic to or from a tunneled interface (IPinIP, SSL VPN, GRE, CAPWAP, etc.) cannot be offloaded by NTurbo. (However, IPsec VPN sessions can be offloaded by NTurbo if the SA can be offloaded.)

NTurbo offloads flow-based processing

For firewall sessions with flow-based security profiles, NTurbo offloads firewall and NAT sessions from the FortiGate CPU to NP7 or NP6 network processors. NTurbo distributes these sessions to different IPS engine processes spread across multiple CPU cores, ensuring a load-balanced approach for handling IPS signature/pattern matching tasks.

Without NTurbo, or with NTurbo disabled, all firewall and NAT processing is done by the FortiGate CPU and sessions requiring IPS signature/pattern matching are evenly distributed among multiple CPU cores using a round-robin distribution method.

Note

Firewall sessions that include proxy-based security profiles are never offloaded to network processors and are always processed by the FortiGate CPU.

NTurbo creates a special data path to redirect traffic from the ingress interface to IPS, and from IPS to the egress interface. NTurbo allows firewall operations to be offloaded along this path, and still allows IPS to behave as a stage in the processing pipeline, reducing the workload on the FortiGate CPU and improving overall throughput.

If NTurbo is supported by your FortiGate unit, you can use the following command to configure it:

config ips global

set np-accel-mode {basic | none}

end

basic enables NTurbo and is the default setting for FortiGate models that support NTurbo. none disables NTurbo. If the np-accel-mode option is not available, then your FortiGate does not support NTurbo.

There are some special cases (listed below) where sessions may not be offloaded by NTurbo, even when NTurbo is explicitly enabled. In these cases, the sessions are handled by the FortiGate CPU.

  • NP acceleration is disabled. For example, auto-asic-offload is disabled in the firewall policy configuration.
  • The firewall policy includes proxy-based security profiles.
  • The sessions require FortiOS session-helpers. For example, FTP sessions can not be offloaded to NP processors because FTP sessions use the FTP session helper.
  • Tunneling is enabled. Any traffic to or from a tunneled interface (IPinIP, SSL VPN, GRE, CAPWAP, etc.) cannot be offloaded by NTurbo. (However, IPsec VPN sessions can be offloaded by NTurbo if the SA can be offloaded.)