NP7 processors no longer support offloading sessions that will pass through two EMAC-VLAN interfaces. This includes traffic passing through an EMAC-VLAN interface when the parent interface is in another VDOM. This means that traffic will no longer be blocked when it passes through two EMAC-VLAN interfaces with offloading enabled. Instead, the traffic will be processed by the CPU and will not be offloaded to NP7 processors.

You can use the following command to record traffic shaper statistics for sessions offloaded to NP7 processors:

config system npu

set shaping-stats {disable | enable}

end

With this option enabled, FortiOS records traffic shaping statistics for sessions offloaded to NP7 processors in the same way as sessions that are processed by the CPU.

To record traffic shaping statistics for offloaded NP7 sessions, the NP7 processors must be operating in policing traffic shaping mode.

You can use the following command to protect a FortiGate with NP7 processors from non-SYN TCP attacks:

configure system npu

set ple-non-syn-tcp-action {drop | forward}

end

By default this option is set to forward, and the NP7 policy lookup engine (PLE) sends TCP local-in non-SYN packets that are from TCP sessions that haven't been established to the CPU. If your FortiGate performance is affected by large numbers of local-in non-SYN packets, you can set this option to drop, causing the NP7 PLE to drop TCP local-in non-SYN packets.

Resolved an issue that reduces connections per second (CPS) performance for VLAN traffic.

Packet buffers are now successfully cleaned up after going through host interface TX/RX queues.

Resolved an issue with how the GUI and CLI displays information about single port allocation CGN IP pools.

Resolved an issue that could cause FortiGates with NP7 processors to encounter a kernel panic when deleting more than two hardware switches at the same time.

Resolved an issue that could cause FortiGates with NP7 processors to display a message similar to rcu_sched self-detected stall on CPU on console and freeze. This would occur after enabling NP7 capwap-offload or sending inner VLAN traffic and restarting FortiOS or upgrading the firmware.

Resolved an issue affecting FortiGates with NP7 processors in an FGCP HA cluster that could cause a kernel panic and lost heartbeat packets. The issue could also result in an HA split brain scenario after a firmware upgrade.

Resolved an issue that caused NP7 processors to drop L2 tunneled VLAN wireless client traffic when CAPWAP offloading is enabled.

Resolved an issue that caused incorrect hardware session counts to be displayed on the GUI or CLI after deleting multicast sessions.

Interface routes are now successfully deleted from the NP7 LPM routing table after moving an interface to a different VDOM. This change also resolves an issue with DHCP servers on interfaces in hyperscale firewall VDOMs

Resolved an issue that could cause a kernel panic on FortiGates with NP7 processors in an FGCP HA cluster.

Changing the zone configuration of a hyperscale firewall VDOM is now supported by the hyperscale firewall policy engine.

Improved the accuracy of statistics collected from hardware logging.

Allowing intra-zone traffic is now supported in hyperscale firewall VDOMs. Options to block or allow intra-zone traffic are available on the GUI and CLI.

A message similar to PARSE SKIP ERROR=17 NPD ERR PBR ADDRESS no longer appears on the console error log when a FortiGate with NP7 processors starts up.

Resolved an issue that could cause the Session Search Engine (SSE) running on an NP7 processor on the primary FortiGate in an FGCP cluster to stop working after received an HASYNC message from the secondary FortiGate.

Resolved an issue with how NP7 processors process large packets or fragmented packets in hairpin traffic.

Unsupported ZTNA options removed from hyperscale firewall policies.

Resolved an issue that could cause incorrect session counts for NP7 sessions passing through non-hyperscale VDOMs of a FortiGate with hyperscale features enabled.