NP7 session fast path requirements
This section lists all the criteria that determine whether a session can be offloaded by NP7 processors.
-
Protocols that can be offloaded by NP7 processors provides a quick reference to the protocols that can be offloaded.
-
Tunneling protocols that can be offloaded by NP7 processors provides a quick reference to the tunneling protocols that can be offloaded.
NP7 processors can offload IPv4 and IPv6 traffic and NAT64 and NAT46 traffic as well as IPv4 and IPv6 versions of the following traffic types where appropriate:
- Link aggregation (LAG) (IEEE 802.3ad) traffic and traffic from static redundant interfaces (see Increasing NP7 offloading capacity using link aggregation groups (LAGs)).
- TCP, UDP, ICMP, SCTP, GTP-u, and RDP traffic.
- IPsec VPN traffic terminating on the FortiGate. NP7 processors also offload IPsec encryption/decryption including:
- Null, DES, 3DES, AES128, AES192, AES256, AES128-GCM, AES256-GCM, AES-GMAC128, AES-GMAC192, AES-GMAC256 encryption algorithms.
- Null, MD5, SHA1, SHA256, SHA384, SHA512, HMAC-MD5, SHA2-256 and SHA2-512 authentication algorithms.
- In addition, NP7Lite processors also offload IPsec SHA3-256/384/512 encryption/decryption.
- IPsec traffic that passes through a FortiGate without being unencrypted.
- Anomaly-based intrusion prevention, checksum offload, and packet defragmentation.
- IPIP tunneling (also called IP in IP tunneling), SIT tunneling, and IPv6 tunneling.
- Multicast traffic (including Multicast over IPsec).
- CAPWAP and wireless bridge traffic tunnel encapsulation to enable line rate wireless forwarding from FortiAP devices.
- Virtual switch traffic including MAC management and forwarding, STP, and 802.1x.
- Generic route encapsulation (GRE) tunnel sessions. The
auto-asic-offload
option must be enabled in the GRE tunnel configuration and in firewall policies that send traffic to the GRE tunnel.Offloading GRE over a loopback interface is not supported and offloaded traffic is blocked. In the firewall policy, disable
auto-asic-offload
to allow traffic to flow.
- Virtual network enabler (VNE) tunnel sessions. The
auto-asic-offload
option must be enabled in the VNE tunnel configuration and in firewall policies that send traffic to the VNE tunnel. - GTP.
- VXLAN.
- CAPWAP and VXLAN over IPsec.
- NP7Lite processors support VXLAN/NVGRE sessions.
- SD-WAN segmentation over single relay sessions that include an IPsec VPN phase 1 configuration that enables VPN ID with IPIP encapsulation. For more information, see SD-WAN segmentation over a single overlay.
- Fragmented packets (if the packet has been fragmented into two packets (see Reassembling and offloading fragmented packets).
- Traffic shaping and priority queuing including:
- Shared and per IP traffic shaping.
- Interface-based egress traffic shaping.
- Interface-based ingress traffic shaping is not supported by NP7 and NP7Lite (SOC5) offloaded traffic, see Ingress traffic shaping profile.
- QoS.
- Syn proxying.
- DNS session helper.
- Inter-VDOM link traffic.
- Traffic over a loopback interface (including IPsec traffic terminated by the FortiGate). For information about using loopback interfaces, see the Fortinet KB article: Technical Tip : Configuring and using a loopback interface on a FortiGate.
Sessions that are offloaded must be fast path ready. For a session to be fast path ready it must meet the following criteria:
- Layer 2 type/length must be 0x0800 for IPv4 or 0x86dd for IPv6 (IEEE 802.1q VLAN specification is supported).
- Layer 3 protocol can be IPv4 or IPv6.
- Layer 4 protocol can be UDP, TCP, ICMP, or SCTP.
- In most cases, Layer 3 / Layer 4 header or content modification sessions that require a session helper can be offloaded.
- NTurbo sessions can be offloaded if they are accepted by firewall policies that include IPS, Application Control, flow-based antivirus, or flow-based web filtering.
Offloading application layer content modification is not supported. This means that sessions are not offloaded if they are accepted by firewall policies that include proxy-based virus scanning, proxy-based web filtering, DNS filtering, DLP, Anti-Spam, VoIP, ICAP, Web Application Firewall, or Proxy options.
If you disable anomaly checks by Intrusion Prevention (IPS), you can still enable hardware accelerated anomaly checks using the |
If a session is not fast path ready, the FortiGate will not send the session key or IPsec SA key to the NP7 processor. Without the session key, all session key lookup by a network processor for incoming packets of that session fails, causing all session packets to be sent to the main processing resources, and processed at normal speeds.
If a session is fast path ready, the FortiGate sends the session key or IPsec SA key to the network processor. Session key or IPsec SA key lookups then succeed for subsequent packets from the known session or IPsec SA.