Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

Hardware Acceleration

diagnose npu np7 (display NP7 information)

You can use the diagnose npu np7 command to display NP7 information.

In the following syntax:

  • <np7-id> is the NP7 identifier, if your FortiGate has one NP7 the np-id is 0.
  • For some of the commands, you can specify an <action>. <action> is optional and can be:
    • {0 | b | brief} Show non-zero counters.
    • {1| v | verbose} Show all the counters.
    • {2 | c | clear} Clear counters.

Command

Description

cgmac-stats <np7-id> [<action>]

Show or clear TX, RX, and Error counters.

dce-drop-all <np7-id> [<action>]

Show or clear all drop counters.

dce-eif-drop <np7-id> [<action>]

Show or clear Ingress Header Processing (IHP) drop counters for the EIF module.

dce-htx-drop <np7-id> [<action>]

Show or clear IHP drop counters for the Host TX (HTX) module.

dce-ipti-drop <np7-id> [<action>]

Show or clear IHP drop counters for the IP Tunnel Inbound (IPTI) module.

dce-l2ti-drop <np7-id> [<action>]

Show or clear IHP drop counters for the L2 Tunnel Inbound (HTX) module.

dce-dfr-drop <np7-id> [<action>]

Show or clear IHP drop counters for the Reassembly (DFR) module.

dce-xhp-drop <np7-id> [<action>]

Show or clear IHP drop counters for the Extensible Header Processing (XHP) module.

dce-l2p-drop <np7-id> [<action>]

Show or clear IHP drop counters for the L2P ingress/egress processing module.

dce-hif-drop <np7-id> [<action>]

Show or clear IHP drop counters for the Host Interface (HIF).

dce-ipsec-drop <np7-id> [<action>]

Show or clear IPsec drop counters.

dsw-drop-all <np7-id> [<action>]

Show or clear DSW drop counters.

dsw-drop-by-src <np7-id> [<action>]

Show or clear DSW drop counters by source modules.

dsw-drop-by-dst <np7-id> [<action>]

Show or clear DSW drop counters by destination modules.

dsw-ingress-stats <np7-id> [<action>]

Show or clear engine counter statistics for DSW ingress modules.

dsw-egress-stats <np7-id> [<action>]

Show or clear counter statistics for DSW egress modules based on queue index.

hif-stats <np7-id> [<action>]

Show or clear Host Interface (HIF) statistic for each TX and RX host queue.

pdq <np7-id>

Show counters of packet and byte count for active modules.

pba <np7-id>

Show Packet Buffer Allocator (PBA) information. PBA is a key indicator for determining the current state of the NP7. If normal and current pba, dba, and hba are different when no traffic is flowing, then !!!Leak!!! will appear at the bottom, indicating a potential NP7 issue.

pmon <np7-id> [<action>]

Show or clear process monitor data that shows the processor load each NP7 software module is using.

port-list <np7-id>

Show the FortiGate interfaces, the NP7 that each interface is connected to, and the port to NPU port mapping configuration. You can configure NPU port mapping using the following command:

config system npu

config port-npu-map

edit <interface-name>

set npu-group-index {0 | 1 | 2}

end

sse-cmd-stats <np7-id> [<action>]

Show or clear Session Search Engine (SSE) command statistics, which show the number of sessions for various operations.

sse-stats <np7-id>

Show NP7 session statistics, including the following:

entcnt total number of valid sessions.

inssuc number of successfully inserted sessions.

insfail number of sessions that fail to be inserted.

updsucc total number of session update that have been successfully

executed.

delsucc number of sessions that have been deleted successfully.

delfail number of sessions that fail to be deleted due to no matching session found.

depfail OFT max chain depth reached fail count. Should remain zero.

srhsucc number of sessions successfully searched (search hit).

srhfail number of sessions whose search failed (search miss).

agesucc total number of successful session removal by aging.

chdepth Maximum OFT chain depth allowed.

phtbase Lower 32 bits of PHT base address.

phtsize PHT size.

oftbase Lower 32 bits of OFT base address.

oftsize Size of overflow table.

oftfcnt OFT free bucket count.

system-config

Show the current NP7 configuration. Most of the configuration is set by the config system npu command.

register <np7-id> [<blocks> list]

Show NP7 registers. Optionally specify a <block> to show registers for a specific block. For example:

diagnose npu np7 register 0 sse* list.

ddr-info <np7-id> 

Show DDR size and debug information.

ddr-access {disable | enable} <np7-id>

Enable or disable DDR access of sub-modules.

ddr-test <np7-id> <channel> <start-hex> <size-hex> <pattern-src> <pattern>

Run DDR memory testing.

Where:

<channel> is the DDR channel to test and can be 0, 1, 2, 3, 4, or 5.

<start-hex> and <end-hex> define the range of memory addresses for which to run the test in hexadecimal format.

<size-hex> is the size of the memory in hexadecimal format.

<pattern> can be 0 walkone, 1 walkzero, 2 incremental, and 3 random.

trng-read <np7-id> <size>

Display a true random number generated by the NP7 true random number generator.

trng-frequency <np7-id>

Show true random number generator frequency information.

debug-cgmac <options>

Show NP7 debug information. Enter diagnose npu np7 debug-cgmac ? to view the available <options>.

hpe <np7-id>

Show HPE host queue type shaping statistics.

ipl <options> 

Show IPL information. Enter diagnose npu np7 ipl -h for a list of options.

diagnose npu np7 (display NP7 information)

You can use the diagnose npu np7 command to display NP7 information.

In the following syntax:

  • <np7-id> is the NP7 identifier, if your FortiGate has one NP7 the np-id is 0.
  • For some of the commands, you can specify an <action>. <action> is optional and can be:
    • {0 | b | brief} Show non-zero counters.
    • {1| v | verbose} Show all the counters.
    • {2 | c | clear} Clear counters.

Command

Description

cgmac-stats <np7-id> [<action>]

Show or clear TX, RX, and Error counters.

dce-drop-all <np7-id> [<action>]

Show or clear all drop counters.

dce-eif-drop <np7-id> [<action>]

Show or clear Ingress Header Processing (IHP) drop counters for the EIF module.

dce-htx-drop <np7-id> [<action>]

Show or clear IHP drop counters for the Host TX (HTX) module.

dce-ipti-drop <np7-id> [<action>]

Show or clear IHP drop counters for the IP Tunnel Inbound (IPTI) module.

dce-l2ti-drop <np7-id> [<action>]

Show or clear IHP drop counters for the L2 Tunnel Inbound (HTX) module.

dce-dfr-drop <np7-id> [<action>]

Show or clear IHP drop counters for the Reassembly (DFR) module.

dce-xhp-drop <np7-id> [<action>]

Show or clear IHP drop counters for the Extensible Header Processing (XHP) module.

dce-l2p-drop <np7-id> [<action>]

Show or clear IHP drop counters for the L2P ingress/egress processing module.

dce-hif-drop <np7-id> [<action>]

Show or clear IHP drop counters for the Host Interface (HIF).

dce-ipsec-drop <np7-id> [<action>]

Show or clear IPsec drop counters.

dsw-drop-all <np7-id> [<action>]

Show or clear DSW drop counters.

dsw-drop-by-src <np7-id> [<action>]

Show or clear DSW drop counters by source modules.

dsw-drop-by-dst <np7-id> [<action>]

Show or clear DSW drop counters by destination modules.

dsw-ingress-stats <np7-id> [<action>]

Show or clear engine counter statistics for DSW ingress modules.

dsw-egress-stats <np7-id> [<action>]

Show or clear counter statistics for DSW egress modules based on queue index.

hif-stats <np7-id> [<action>]

Show or clear Host Interface (HIF) statistic for each TX and RX host queue.

pdq <np7-id>

Show counters of packet and byte count for active modules.

pba <np7-id>

Show Packet Buffer Allocator (PBA) information. PBA is a key indicator for determining the current state of the NP7. If normal and current pba, dba, and hba are different when no traffic is flowing, then !!!Leak!!! will appear at the bottom, indicating a potential NP7 issue.

pmon <np7-id> [<action>]

Show or clear process monitor data that shows the processor load each NP7 software module is using.

port-list <np7-id>

Show the FortiGate interfaces, the NP7 that each interface is connected to, and the port to NPU port mapping configuration. You can configure NPU port mapping using the following command:

config system npu

config port-npu-map

edit <interface-name>

set npu-group-index {0 | 1 | 2}

end

sse-cmd-stats <np7-id> [<action>]

Show or clear Session Search Engine (SSE) command statistics, which show the number of sessions for various operations.

sse-stats <np7-id>

Show NP7 session statistics, including the following:

entcnt total number of valid sessions.

inssuc number of successfully inserted sessions.

insfail number of sessions that fail to be inserted.

updsucc total number of session update that have been successfully

executed.

delsucc number of sessions that have been deleted successfully.

delfail number of sessions that fail to be deleted due to no matching session found.

depfail OFT max chain depth reached fail count. Should remain zero.

srhsucc number of sessions successfully searched (search hit).

srhfail number of sessions whose search failed (search miss).

agesucc total number of successful session removal by aging.

chdepth Maximum OFT chain depth allowed.

phtbase Lower 32 bits of PHT base address.

phtsize PHT size.

oftbase Lower 32 bits of OFT base address.

oftsize Size of overflow table.

oftfcnt OFT free bucket count.

system-config

Show the current NP7 configuration. Most of the configuration is set by the config system npu command.

register <np7-id> [<blocks> list]

Show NP7 registers. Optionally specify a <block> to show registers for a specific block. For example:

diagnose npu np7 register 0 sse* list.

ddr-info <np7-id> 

Show DDR size and debug information.

ddr-access {disable | enable} <np7-id>

Enable or disable DDR access of sub-modules.

ddr-test <np7-id> <channel> <start-hex> <size-hex> <pattern-src> <pattern>

Run DDR memory testing.

Where:

<channel> is the DDR channel to test and can be 0, 1, 2, 3, 4, or 5.

<start-hex> and <end-hex> define the range of memory addresses for which to run the test in hexadecimal format.

<size-hex> is the size of the memory in hexadecimal format.

<pattern> can be 0 walkone, 1 walkzero, 2 incremental, and 3 random.

trng-read <np7-id> <size>

Display a true random number generated by the NP7 true random number generator.

trng-frequency <np7-id>

Show true random number generator frequency information.

debug-cgmac <options>

Show NP7 debug information. Enter diagnose npu np7 debug-cgmac ? to view the available <options>.

hpe <np7-id>

Show HPE host queue type shaping statistics.

ipl <options> 

Show IPL information. Enter diagnose npu np7 ipl -h for a list of options.