Fortinet black logo

Hardware Acceleration

NP6 session fast path requirements

NP6 session fast path requirements

NP6 processors can offload the following traffic and services:

  • IPv4 and IPv6 traffic and NAT64 and NAT46 traffic (as well as IPv4 and IPv6 versions of the following traffic types where appropriate).
  • Link aggregation (LAG) (IEEE 802.3ad) traffic and traffic from static redundant interfaces (see Increasing NP6 offloading capacity using link aggregation groups (LAGs)).
  • TCP, UDP, ICMP, SCTP, and RDP traffic.
  • IPsec VPN traffic, and offloading of IPsec encryption/decryption (including SHA2-256 and SHA2-512)
  • NP6 processor IPsec engines support null, DES, 3DES, AES128, AES192, and AES256 encryption algorithms
  • NP6 processor IPsec engines support null, MD5, SHA1, SHA256, SHA 384, and SHA512 authentication algorithms
  • IPsec traffic that passes through a FortiGate without being unencrypted.
  • Anomaly-based intrusion prevention, checksum offload and packet defragmentation.
  • IPIP tunneling (also called IP in IP tunneling), SIT tunneling, and IPv6 tunneling sessions.
  • UDP traffic with a destination port of 4500 (ESP-in-UDP traffic) (if enabled, see Offloading UDP-encapsulated ESP traffic).
  • Multicast traffic (including Multicast over IPsec).
  • CAPWAP and wireless bridge traffic tunnel encapsulation to enable line rate wireless forwarding from FortiAP devices (not supported by the NP6Lite).
  • Traffic shaping and priority queuing for both shared and per IP traffic shaping.
  • Syn proxying (not supported by the NP6Lite).
  • DNS session helper (not supported by the NP6Lite).
  • Inter-VDOM link traffic. Inter-VDOM link traffic between two EMAC VLAN interfaces cannot be offloaded.

Sessions that are offloaded must be fast path ready. For a session to be fast path ready it must meet the following criteria:

  • Layer 2 type/length must be 0x0800 for IPv4 or 0x86dd for IPv6 (IEEE 802.1q VLAN specification is supported).
  • Layer 3 protocol can be IPv4 or IPv6.
  • Layer 4 protocol can be UDP, TCP, ICMP, or SCTP.
  • In most cases, Layer 3 / Layer 4 header or content modification sessions that require a session helper can be offloaded.
  • Local host traffic (originated by the FortiGate unit) can be offloaded.
  • If the FortiGate supports, NTurbo sessions can be offloaded if they are accepted by firewall policies that include IPS, Application Control, CASI, flow-based antivirus, or flow-based web filtering.

Offloading Application layer content modification is not supported. This means that sessions are not offloaded if they are accepted by firewall policies that include proxy-based virus scanning, proxy-based web filtering, DNS filtering, DLP, Anti-Spam, VoIP, ICAP, Web Application Firewall, or Proxy options.

DoS policy sessions are also not offloaded by NP6 processors.

Note

If you disable anomaly checks by Intrusion Prevention (IPS), you can still enable hardware accelerated anomaly checks using the fp-anomaly field of the config system interface CLI command. See Configuring individual NP6 processors.

If a session is not fast path ready, FortiGate will not send the session key or IPsec SA key to the NP6 processor. Without the session key, all session key lookup by a network processor for incoming packets of that session fails, causing all session packets to be sent to the FortiGate’s main processing resources, and processed at normal speeds.

If a session is fast path ready, the FortiGate unit will send the session key or IPsec SA key to the network processor. Session key or IPsec SA key lookups then succeed for subsequent packets from the known session or IPsec SA.

Packet fast path requirements

Packets within the session must then also meet packet requirements.

  • Incoming packets must not be fragmented.
  • Outgoing packets must not require fragmentation to a size less than 385 bytes. Because of this requirement, the configured MTU (Maximum Transmission Unit) for a network processor’s network interfaces must also meet or exceed the NP6-supported minimum MTU of 385 bytes.

Mixing fast path and non-fast path traffic

If packet requirements are not met, an individual packet will be processed by the FortiGate CPU regardless of whether other packets in the session are offloaded to the NP6.

Also, in some cases, a protocol’s session(s) may receive a mixture of offloaded and non-offloaded processing. For example, VoIP control packets may not be offloaded but VoIP data packets (voice packets) may be offloaded.

NP6 session fast path requirements

NP6 processors can offload the following traffic and services:

  • IPv4 and IPv6 traffic and NAT64 and NAT46 traffic (as well as IPv4 and IPv6 versions of the following traffic types where appropriate).
  • Link aggregation (LAG) (IEEE 802.3ad) traffic and traffic from static redundant interfaces (see Increasing NP6 offloading capacity using link aggregation groups (LAGs)).
  • TCP, UDP, ICMP, SCTP, and RDP traffic.
  • IPsec VPN traffic, and offloading of IPsec encryption/decryption (including SHA2-256 and SHA2-512)
  • NP6 processor IPsec engines support null, DES, 3DES, AES128, AES192, and AES256 encryption algorithms
  • NP6 processor IPsec engines support null, MD5, SHA1, SHA256, SHA 384, and SHA512 authentication algorithms
  • IPsec traffic that passes through a FortiGate without being unencrypted.
  • Anomaly-based intrusion prevention, checksum offload and packet defragmentation.
  • IPIP tunneling (also called IP in IP tunneling), SIT tunneling, and IPv6 tunneling sessions.
  • UDP traffic with a destination port of 4500 (ESP-in-UDP traffic) (if enabled, see Offloading UDP-encapsulated ESP traffic).
  • Multicast traffic (including Multicast over IPsec).
  • CAPWAP and wireless bridge traffic tunnel encapsulation to enable line rate wireless forwarding from FortiAP devices (not supported by the NP6Lite).
  • Traffic shaping and priority queuing for both shared and per IP traffic shaping.
  • Syn proxying (not supported by the NP6Lite).
  • DNS session helper (not supported by the NP6Lite).
  • Inter-VDOM link traffic. Inter-VDOM link traffic between two EMAC VLAN interfaces cannot be offloaded.

Sessions that are offloaded must be fast path ready. For a session to be fast path ready it must meet the following criteria:

  • Layer 2 type/length must be 0x0800 for IPv4 or 0x86dd for IPv6 (IEEE 802.1q VLAN specification is supported).
  • Layer 3 protocol can be IPv4 or IPv6.
  • Layer 4 protocol can be UDP, TCP, ICMP, or SCTP.
  • In most cases, Layer 3 / Layer 4 header or content modification sessions that require a session helper can be offloaded.
  • Local host traffic (originated by the FortiGate unit) can be offloaded.
  • If the FortiGate supports, NTurbo sessions can be offloaded if they are accepted by firewall policies that include IPS, Application Control, CASI, flow-based antivirus, or flow-based web filtering.

Offloading Application layer content modification is not supported. This means that sessions are not offloaded if they are accepted by firewall policies that include proxy-based virus scanning, proxy-based web filtering, DNS filtering, DLP, Anti-Spam, VoIP, ICAP, Web Application Firewall, or Proxy options.

DoS policy sessions are also not offloaded by NP6 processors.

Note

If you disable anomaly checks by Intrusion Prevention (IPS), you can still enable hardware accelerated anomaly checks using the fp-anomaly field of the config system interface CLI command. See Configuring individual NP6 processors.

If a session is not fast path ready, FortiGate will not send the session key or IPsec SA key to the NP6 processor. Without the session key, all session key lookup by a network processor for incoming packets of that session fails, causing all session packets to be sent to the FortiGate’s main processing resources, and processed at normal speeds.

If a session is fast path ready, the FortiGate unit will send the session key or IPsec SA key to the network processor. Session key or IPsec SA key lookups then succeed for subsequent packets from the known session or IPsec SA.

Packet fast path requirements

Packets within the session must then also meet packet requirements.

  • Incoming packets must not be fragmented.
  • Outgoing packets must not require fragmentation to a size less than 385 bytes. Because of this requirement, the configured MTU (Maximum Transmission Unit) for a network processor’s network interfaces must also meet or exceed the NP6-supported minimum MTU of 385 bytes.

Mixing fast path and non-fast path traffic

If packet requirements are not met, an individual packet will be processed by the FortiGate CPU regardless of whether other packets in the session are offloaded to the NP6.

Also, in some cases, a protocol’s session(s) may receive a mixture of offloaded and non-offloaded processing. For example, VoIP control packets may not be offloaded but VoIP data packets (voice packets) may be offloaded.