NP7 and NP7Lite acceleration
NP7 and NP7Lite network processors provide fastpath acceleration by offloading communication sessions from the FortiGate CPU. When the first packet of a new session is received by an interface connected to an NP7 processor, just like any session connecting with any FortiGate interface, the session is forwarded to the FortiGate CPU where it is matched with a firewall policy. If the session is accepted by a firewall policy and if the session can be offloaded, its session key is copied to the NP7 processor that received the packet. All of the rest of the packets in the session are intercepted by the NP7 processor and fast-pathed to their destination without ever passing through the FortiGate CPU. The result is enhanced network performance provided by the NP7 processor plus the network processing load is removed from the CPU. In addition, the NP7 processor can handle some CPU intensive tasks like IPsec VPN encryption/decryption and DoS protection and NP7 processors provide features for offloaded traffic that include traffic shaping.
The result is enhanced connection per second (CPS) and network throughput performance provided by the NP7 processor plus the network processing load is removed from the CPU.
NP7Lite processors have the same architecture and function in the same way as NP7 processors. All of the descriptions of NP7 processors in this document can be applied to NP7Lite processors except where noted. |
The NP7 processor has a maximum throughput of 200 Gbps using two 100GigE interfaces. The NP7Lite processor max throughput is 40 Gbps, using one 40GigE interface.
On FortiGates licensed for hyperscale firewall support, NP7 network processors provide fastpath acceleration by offloading session setup, Carrier Grade NAT (GGN), hardware logging, HA hardware session synchronization, and data communication from the FortiGate CPU. When the first packet of a new session is received by an interface connected to an NP7 processor, session and NAT setup takes place entirely on the NP7 policy and NAT engine without any involvement of the system bus or CPU, resulting in much higher connections per second. To support hardware session setup, the NP7 policy and NAT engine has a copy of the FortiGate policy, NAT, and routing tables.
Hyperscale firewall features are not supported by NP7Lite processors.
In FortiGates with multiple NP7s, session keys (and IPsec SA keys) are stored in the memory of the NP7 processor that is connected to the interface that received the packet that started the session. All sessions are fast-pathed and accelerated, even if they exit the FortiGate unit through an interface connected to another NP7. There is no dependence on getting the right pair of interfaces since the offloading is done by the receiving NP7.
The key to making this possible is an Integrated Switch Fabric (ISF) that connects the NP7s and the FortiGate interfaces together. The ISF allows any interface connectivity with any NP7 on the same ISF. There are no special ingress and egress fast path requirements as long as traffic enters and exits on interfaces connected to the same ISF.
Some FortiGates with NP7 processors support creating NP7 port maps, allowing you to map data interfaces to specific NP7 interfaces. This feature allows you to control the balance of traffic between the NP7 interfaces.
The NP7 processors in some FortiGate units employ ultra low latency (ULL) technology in which data interfaces are connected directly to NP7 processors instead of the ISF. NP7 traffic entering and exiting the FortiGate through these interfaces experiences lower latency than if it were passing through interfaces that are connected to the ISF. To achieve low latency, traffic must both enter and exit the FortiGate through ULL interfaces. If traffic enters or exits through other data interfaces, it is subject to the latency resulting from passing through the ISF.