Fortinet Document Library

Version:

Version:

Version:

Version:

Version:


Table of Contents

Hardware Acceleration

Checking that traffic is offloaded by NP processors

A number of diagnose commands can be used to verify that traffic is being offloaded.

Using the packet sniffer

Use the packet sniffer to verify that traffic is offloaded. Offloaded traffic is not picked up by the packet sniffer so if you are sending traffic through the FortiGate unit and it is not showing up on the packet sniffer you can conclude that it is offloaded.

diag sniffer packet port1 <option>

Note

If you want the packet sniffer to be able to see offloaded traffic you can temporarily disable offloading the traffic, run the packet sniffer to view it and then re-enable offloading. As an example, you may want to sniff the traffic that is accepted by a specific firewall policy. You can edit the policy and set the auto-asic-offload option to disable to disable offloading this traffic.You can also disable offloading for IPsec VPN traffic, see Network processors (NP6, NP6XLite, and NP6Lite).

Checking the firewall session offload tag

Use the diagnose sys session list command to display sessions. If the output for a session includes the npu info field you should see information about session being offloaded. If the output doesn’t contain an npu info field then the session has not been offloaded.

diagnose sys session list

session info: proto=6 proto_state=01 duration=34 expire=3565 timeout=3600 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=3

origin-shaper=

reply-shaper=

per_ip_shaper=

ha_id=0 policy_dir=0 tunnel=/

state=may_dirty npu

statistic(bytes/packets/allow_err): org=295/3/1 reply=60/1/1 tuples=2

orgin->sink: org pre->post, reply pre->post dev=48->6/6->48 gwy=10.1.100.11/11.11.11.1

hook=pre dir=org act=noop 172.16.200.55:56453->10.1.100.11:80(0.0.0.0:0)

hook=post dir=reply act=noop 10.1.100.11:80->172.16.200.55:56453(0.0.0.0:0)

pos/(before,after) 0/(0,0), 0/(0,0)

misc=0 policy_id=1 id_policy_id=0 auth_info=0 chk_client_info=0 vd=4

serial=0000091c tos=ff/ff ips_view=0 app_list=0 app=0

dd_type=0 dd_mode=0

per_ip_bandwidth meter: addr=172.16.200.55, bps=393

npu_state=00000000

npu info: flag=0x81/0x81, offload=4/4, ips_offload=0/0, epid=1/23, ipid=23/1, vlan=32779/0

Verifying IPsec VPN traffic offloading

The following commands can be used to verify IPsec VPN traffic offloading to NP processors.

diagnose vpn ipsec status

NPl/NP2/NP4_0/sp_0_0:

null: 0 0

des: 0 0

3des: 4075 4074

aes: 0 0

aria: 0 0

seed: 0 0

null: 0 0

md5: 4075 4074

sha1: 0 0

sha256: 0 0

sha384: 0 0

sha512: 0 0

diagnose vpn tunnel list

list all ipsec tunnel in vd 3

------------------------------------------------------

name=p1-vdom1 ver=1 serial=5 11.11.11.1:0->11.11.11.2:0 lgwy=static tun=tunnel mode=auto bound_if=47

proxyid_num=1 child_num=0 refcnt=8 ilast=2 olast=2

stat: rxp=3076 txp=1667 rxb=4299623276 txb=66323

dpd: mode=active on=1 idle=5000ms retry=3 count=0 seqno=20

natt: mode=none draft=0 interval=0 remote_port=0

proxyid=p2-vdom1 proto=0 sa=1 ref=2 auto_negotiate=0 serial=1

src: 0:0.0.0.0/0.0.0.0:0

dst: 0:0.0.0.0/0.0.0.0:0

SA: ref=6 options=0000000e type=00 soft=0 mtu=1436 expire=1736 replaywin=2048 seqno=680

life: type=01 bytes=0/0 timeout=1748/1800

dec: spi=ae01010c esp=3des key=24 18e021bcace225347459189f292fbc2e4677563b07498a07

ah=md5 key=16 b4f44368741632b4e33e5f5b794253d3

enc: spi=ae01010d esp=3des key=24 42c94a8a2f72a44f9a3777f8e6aa3b24160b8af15f54a573

ah=md5 key=16 6214155f76b63a93345dcc9ec02d6415

dec:pkts/bytes=3073/4299621477, enc:pkts/bytes=1667/66375

npu_flag=03 npu_rgwy=11.11.11.2 npu_lgwy=11.11.11.1 npu_selid=4

diagnose sys session list

session info: proto=6 proto_state=01 duration=34 expire=3565 timeout=3600 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=3

origin-shaper=

reply-shaper=

per_ip_shaper=

ha_id=0 policy_dir=0 tunnel=/p1-vdom2

state=re may_dirty npu

statistic(bytes/packets/allow_err): org=112/2/1 reply=112/2/1 tuples=2

orgin->sink: org pre->post, reply pre->post dev=57->7/7->57 gwy=10.1.100.11/11.11.11.1

hook=pre dir=org act=noop 172.16.200.55:35254->10.1.100.11:80(0.0.0.0:0)

hook=post dir=reply act=noop 10.1.100.11:80->172.16.200.55:35254(0.0.0.0:0)

pos/(before,after) 0/(0,0), 0/(0,0)

misc=0 policy_id=1 id_policy_id=0 auth_info=0 chk_client_info=0 vd=4

serial=00002d29 tos=ff/ff ips_view=0 app_list=0 app=0

dd_type=0 dd_mode=0

per_ip_bandwidth meter: addr=172.16.200.55, bps=260

npu_state=00000000

npu info: flag=0x81/0x82, offload=7/7, ips_offload=0/0, epid=1/3, ipid=3/1, vlan=32779/0

Checking that traffic is offloaded by NP processors

A number of diagnose commands can be used to verify that traffic is being offloaded.

Using the packet sniffer

Use the packet sniffer to verify that traffic is offloaded. Offloaded traffic is not picked up by the packet sniffer so if you are sending traffic through the FortiGate unit and it is not showing up on the packet sniffer you can conclude that it is offloaded.

diag sniffer packet port1 <option>

Note

If you want the packet sniffer to be able to see offloaded traffic you can temporarily disable offloading the traffic, run the packet sniffer to view it and then re-enable offloading. As an example, you may want to sniff the traffic that is accepted by a specific firewall policy. You can edit the policy and set the auto-asic-offload option to disable to disable offloading this traffic.You can also disable offloading for IPsec VPN traffic, see Network processors (NP6, NP6XLite, and NP6Lite).

Checking the firewall session offload tag

Use the diagnose sys session list command to display sessions. If the output for a session includes the npu info field you should see information about session being offloaded. If the output doesn’t contain an npu info field then the session has not been offloaded.

diagnose sys session list

session info: proto=6 proto_state=01 duration=34 expire=3565 timeout=3600 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=3

origin-shaper=

reply-shaper=

per_ip_shaper=

ha_id=0 policy_dir=0 tunnel=/

state=may_dirty npu

statistic(bytes/packets/allow_err): org=295/3/1 reply=60/1/1 tuples=2

orgin->sink: org pre->post, reply pre->post dev=48->6/6->48 gwy=10.1.100.11/11.11.11.1

hook=pre dir=org act=noop 172.16.200.55:56453->10.1.100.11:80(0.0.0.0:0)

hook=post dir=reply act=noop 10.1.100.11:80->172.16.200.55:56453(0.0.0.0:0)

pos/(before,after) 0/(0,0), 0/(0,0)

misc=0 policy_id=1 id_policy_id=0 auth_info=0 chk_client_info=0 vd=4

serial=0000091c tos=ff/ff ips_view=0 app_list=0 app=0

dd_type=0 dd_mode=0

per_ip_bandwidth meter: addr=172.16.200.55, bps=393

npu_state=00000000

npu info: flag=0x81/0x81, offload=4/4, ips_offload=0/0, epid=1/23, ipid=23/1, vlan=32779/0

Verifying IPsec VPN traffic offloading

The following commands can be used to verify IPsec VPN traffic offloading to NP processors.

diagnose vpn ipsec status

NPl/NP2/NP4_0/sp_0_0:

null: 0 0

des: 0 0

3des: 4075 4074

aes: 0 0

aria: 0 0

seed: 0 0

null: 0 0

md5: 4075 4074

sha1: 0 0

sha256: 0 0

sha384: 0 0

sha512: 0 0

diagnose vpn tunnel list

list all ipsec tunnel in vd 3

------------------------------------------------------

name=p1-vdom1 ver=1 serial=5 11.11.11.1:0->11.11.11.2:0 lgwy=static tun=tunnel mode=auto bound_if=47

proxyid_num=1 child_num=0 refcnt=8 ilast=2 olast=2

stat: rxp=3076 txp=1667 rxb=4299623276 txb=66323

dpd: mode=active on=1 idle=5000ms retry=3 count=0 seqno=20

natt: mode=none draft=0 interval=0 remote_port=0

proxyid=p2-vdom1 proto=0 sa=1 ref=2 auto_negotiate=0 serial=1

src: 0:0.0.0.0/0.0.0.0:0

dst: 0:0.0.0.0/0.0.0.0:0

SA: ref=6 options=0000000e type=00 soft=0 mtu=1436 expire=1736 replaywin=2048 seqno=680

life: type=01 bytes=0/0 timeout=1748/1800

dec: spi=ae01010c esp=3des key=24 18e021bcace225347459189f292fbc2e4677563b07498a07

ah=md5 key=16 b4f44368741632b4e33e5f5b794253d3

enc: spi=ae01010d esp=3des key=24 42c94a8a2f72a44f9a3777f8e6aa3b24160b8af15f54a573

ah=md5 key=16 6214155f76b63a93345dcc9ec02d6415

dec:pkts/bytes=3073/4299621477, enc:pkts/bytes=1667/66375

npu_flag=03 npu_rgwy=11.11.11.2 npu_lgwy=11.11.11.1 npu_selid=4

diagnose sys session list

session info: proto=6 proto_state=01 duration=34 expire=3565 timeout=3600 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=3

origin-shaper=

reply-shaper=

per_ip_shaper=

ha_id=0 policy_dir=0 tunnel=/p1-vdom2

state=re may_dirty npu

statistic(bytes/packets/allow_err): org=112/2/1 reply=112/2/1 tuples=2

orgin->sink: org pre->post, reply pre->post dev=57->7/7->57 gwy=10.1.100.11/11.11.11.1

hook=pre dir=org act=noop 172.16.200.55:35254->10.1.100.11:80(0.0.0.0:0)

hook=post dir=reply act=noop 10.1.100.11:80->172.16.200.55:35254(0.0.0.0:0)

pos/(before,after) 0/(0,0), 0/(0,0)

misc=0 policy_id=1 id_policy_id=0 auth_info=0 chk_client_info=0 vd=4

serial=00002d29 tos=ff/ff ips_view=0 app_list=0 app=0

dd_type=0 dd_mode=0

per_ip_bandwidth meter: addr=172.16.200.55, bps=260

npu_state=00000000

npu info: flag=0x81/0x82, offload=7/7, ips_offload=0/0, epid=1/3, ipid=3/1, vlan=32779/0