Fortinet black logo

Hardware Acceleration

CP9 capabilities

CP9 capabilities

CP9, CP9XLite (found in SOC4), and CP9Lite (found in SOC3) content processors support mostly the same features, with a few exceptions noted below. The main difference between the processors is their capacity and throughput. For example, the CP9 has sixteen IPsec VPN engines while the CP9XLite has five and the CP9Lite has one. As a result, the CP9 can accelerate many more IPsec VPN sessions than the lite versions.

The CP9 content processor provides the following services:

Note

FortiOS may not support all of the CP9 services listed below. For example, IPsec VPNs may not support some less commonly used proposals; such as AES-GMAC. For any FortiOS function, you can check the options available from the CLI to see the features that are supported. For example, when configuring an IPsec VPN phase one, you can use the CLI help with the set proposal option to see the list of supported proposals.

  • Flow-based inspection (IPS and application control) pattern matching acceleration with over 10Gbps throughput
    • IPS pre-scan/pre-match offload
    • IPS signature correlation offload
    • Full match offload (CP9 only)
    • High throughput DFA-based deep packet inspection

  • High performance IPsec VPN bulk data engine
    • DES/3DES/AES128/192/256 in accordance with FIPS46-3/FIPS81/FIPS197
    • MD5/SHA-1/SHA256/384/512-96/128/192/256 with RFC1321 and FIPS180
    • M S/KM Generation (Hash) (CP9 only)

    • HMAC in accordance with RFC2104/2403/2404 and FIPS198
    • ESN mode
    • GCM support for NSA "Suite B" (RFC6379/RFC6460) including GCM-128/256; GMAC-128/256
  • Key exchange processor that supports high performance IKE and RSA computation
    • Public key exponentiation engine with hardware CRT support
    • Primary checking for RSA key generation
    • Handshake accelerator with automatic key material generation
    • Ring OSC entropy source

    • Elliptic curve cryptography ECC (P-256) support for NSA "Suite B" (CP9 only)
    • Sub public key engine (PKCE) to support up to 4096 bit operation directly (4k for DH and 8k for RSA with CRT)
  • DLP fingerprint support
    • Configurable Two-Thresholds-Two-Divisors (TTTD) content chunking

CP9 capabilities

CP9, CP9XLite (found in SOC4), and CP9Lite (found in SOC3) content processors support mostly the same features, with a few exceptions noted below. The main difference between the processors is their capacity and throughput. For example, the CP9 has sixteen IPsec VPN engines while the CP9XLite has five and the CP9Lite has one. As a result, the CP9 can accelerate many more IPsec VPN sessions than the lite versions.

The CP9 content processor provides the following services:

Note

FortiOS may not support all of the CP9 services listed below. For example, IPsec VPNs may not support some less commonly used proposals; such as AES-GMAC. For any FortiOS function, you can check the options available from the CLI to see the features that are supported. For example, when configuring an IPsec VPN phase one, you can use the CLI help with the set proposal option to see the list of supported proposals.

  • Flow-based inspection (IPS and application control) pattern matching acceleration with over 10Gbps throughput
    • IPS pre-scan/pre-match offload
    • IPS signature correlation offload
    • Full match offload (CP9 only)
    • High throughput DFA-based deep packet inspection

  • High performance IPsec VPN bulk data engine
    • DES/3DES/AES128/192/256 in accordance with FIPS46-3/FIPS81/FIPS197
    • MD5/SHA-1/SHA256/384/512-96/128/192/256 with RFC1321 and FIPS180
    • M S/KM Generation (Hash) (CP9 only)

    • HMAC in accordance with RFC2104/2403/2404 and FIPS198
    • ESN mode
    • GCM support for NSA "Suite B" (RFC6379/RFC6460) including GCM-128/256; GMAC-128/256
  • Key exchange processor that supports high performance IKE and RSA computation
    • Public key exponentiation engine with hardware CRT support
    • Primary checking for RSA key generation
    • Handshake accelerator with automatic key material generation
    • Ring OSC entropy source

    • Elliptic curve cryptography ECC (P-256) support for NSA "Suite B" (CP9 only)
    • Sub public key engine (PKCE) to support up to 4096 bit operation directly (4k for DH and 8k for RSA with CRT)
  • DLP fingerprint support
    • Configurable Two-Thresholds-Two-Divisors (TTTD) content chunking