Fortinet black logo

Hardware Acceleration

Home FortiGate / FortiOS 7.2.4 Hardware Acceleration
7.2.4
7.4.3
7.4.2
7.4.1
7.4.0
7.2.8
7.2.7
7.2.6
7.2.5
7.2.4
7.2.3
7.2.2
7.2.1
7.2.0
7.0.15
7.0.14
7.0.13
7.0.12
7.0.11
7.0.10
7.0.9
7.0.8
7.0.7
7.0.6
7.0.5
7.0.1
7.0.0
6.4.15
6.4.14
6.4.13
6.4.12
6.4.11
6.4.10
6.4.9
6.4.8
6.4.6
6.4.5
6.2.16
6.2.15
6.2.14
6.2.13
6.2.12
6.2.9
6.2.7
6.0.18
6.0.17
6.0.16
6.0.15
6.0.14
5.6.0

hash-config {src-dst-ip | 5-tuple | src-ip}

hash-config {src-dst-ip | 5-tuple | src-ip}

On FortiGates with multiple NP7 processors, you can use the following command to configure how the internal switch fabric (ISF) distributes sessions to the NP7 processors.

config system global

config system npu

set hash-config {src-dst-ip | 5-tuple | src-ip}

end

Changing the hash-config causes the FortiGate to restart.

Note

A configuration change that causes a FortiGate to restart can disrupt the operation of an FGCP cluster. If possible, you should make this configuration change to the individual FortiGates before setting up the cluster. If the cluster is already operating, you should temporarily remove the secondary FortiGate(s) from the cluster, change the configuration of the individual FortiGates and then re-form the cluster. You can remove FortiGate(s) from a cluster using the Remove Device from HA cluster button on the System > HA GUI page. For more information, see Disconnecting a FortiGate.

src-ip, sessions are distributed by source IP address. All sessions from a source IP address are processed by the same NP7 processor.

5-tuple, to distribute sessions, a hash is created for each session based on the session's source and destination IP address, IP protocol, and source and destination TCP/UDP port. This option is available on FortiGates with multiple NP7 processors and an even number of NP7 processors (so most FortiGates with NP7 processors).

src-dist-ip use 2-tuple source and destination IP address hashing. This option is only available on FortiGates with an odd number of NP7 processors (for example, the FortiGate-3500F and 3501F have three NP7 processors).

Note

Changing the hash-config also affects hyperscale firewall CGNAT functionality, see How the NP7 hash-config affects CGNAT.

In most cases 2-tuple or 5-tuple distribution provides the best performance but src-ip is the required setting if your FortiGate processes traffic that requires session helpers or application layer gateways (ALGs).

Setting hash-config to src-ip is required to offload traffic that requires session helpers or application layer gateways (ALGs) (for example, FTP, TFTP, SIP, MGCP, H.323, PPTP, L2TP, ICMP Error/IP-options, PMAP, TNS, DCE-RPC, RAS, and RSH).

On a FortiGate with hyperscale firewall features enabled, session helper and ALG traffic should be processed by normal VDOMs and not by hyperscale firewall VDOMs. Traffic that requires session helpers or ALGs is not compatible with hyperscale firewall functionality since the initial packets of a new session must be processed by the CPU. As well, some traffic that requires ALGs, for example SIP traffic, also requires a security profile and security profiles are not compatible with hyperscale firewall functionality.

Session helper and ALG traffic can be partially offloaded by NP7 processors. For example, SIP setup sessions are processed by the CPU, but the RTP and RTCP sessions that result from SIP setup sessions can be accelerated by NP7 processors.

Previous
Next

hash-config {src-dst-ip | 5-tuple | src-ip}

On FortiGates with multiple NP7 processors, you can use the following command to configure how the internal switch fabric (ISF) distributes sessions to the NP7 processors.

config system global

config system npu

set hash-config {src-dst-ip | 5-tuple | src-ip}

end

Changing the hash-config causes the FortiGate to restart.

Note

A configuration change that causes a FortiGate to restart can disrupt the operation of an FGCP cluster. If possible, you should make this configuration change to the individual FortiGates before setting up the cluster. If the cluster is already operating, you should temporarily remove the secondary FortiGate(s) from the cluster, change the configuration of the individual FortiGates and then re-form the cluster. You can remove FortiGate(s) from a cluster using the Remove Device from HA cluster button on the System > HA GUI page. For more information, see Disconnecting a FortiGate.

src-ip, sessions are distributed by source IP address. All sessions from a source IP address are processed by the same NP7 processor.

5-tuple, to distribute sessions, a hash is created for each session based on the session's source and destination IP address, IP protocol, and source and destination TCP/UDP port. This option is available on FortiGates with multiple NP7 processors and an even number of NP7 processors (so most FortiGates with NP7 processors).

src-dist-ip use 2-tuple source and destination IP address hashing. This option is only available on FortiGates with an odd number of NP7 processors (for example, the FortiGate-3500F and 3501F have three NP7 processors).

Note

Changing the hash-config also affects hyperscale firewall CGNAT functionality, see How the NP7 hash-config affects CGNAT.

In most cases 2-tuple or 5-tuple distribution provides the best performance but src-ip is the required setting if your FortiGate processes traffic that requires session helpers or application layer gateways (ALGs).

Setting hash-config to src-ip is required to offload traffic that requires session helpers or application layer gateways (ALGs) (for example, FTP, TFTP, SIP, MGCP, H.323, PPTP, L2TP, ICMP Error/IP-options, PMAP, TNS, DCE-RPC, RAS, and RSH).

On a FortiGate with hyperscale firewall features enabled, session helper and ALG traffic should be processed by normal VDOMs and not by hyperscale firewall VDOMs. Traffic that requires session helpers or ALGs is not compatible with hyperscale firewall functionality since the initial packets of a new session must be processed by the CPU. As well, some traffic that requires ALGs, for example SIP traffic, also requires a security profile and security profiles are not compatible with hyperscale firewall functionality.

Session helper and ALG traffic can be partially offloaded by NP7 processors. For example, SIP setup sessions are processed by the CPU, but the RTP and RTCP sessions that result from SIP setup sessions can be accelerated by NP7 processors.

Previous
Next