Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Hardware Acceleration

    Home FortiGate / FortiOS 7.6.0 Hardware Acceleration
    7.6.0
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.1
    7.0.0
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.6
    6.4.5
    6.2.16
    6.2.15
    6.2.14
    6.2.13
    6.2.12
    6.2.9
    6.2.7
    6.0.18
    6.0.17
    6.0.16
    6.0.15
    6.0.14
    5.6.0

    Enabling support for GTP-U with dynamic source ports

    Enabling support for GTP-U with dynamic source ports

    If your network is using GTP-U with dynamic source ports, FortiOS can receive multiple GTP-U sessions with the same source and destination addresses but different source ports. By default, FortiOS adds a new session to its session table for each source port; (or two sessions for bi-directional traffic) resulting the need to maintain multiple sessions for traffic with the same source and destination address. Each session uses additional system memory. If FortiOS is processing large numbers of GTP-U sessions with dynamic source ports, the system may have to maintain a large number of sessions, potentially using a large amount of memory. As well, the first packets of each new session are sent to the CPU. Once the session is established, the sessions are offloaded to NP6 or NP7 processors.

    With GTP-U with dynamic source port support enabled, FortiOS on FortiGates with NP7 processors creates one session for each source and destination address pair (or two sessions for bi-directional traffic). These sessions are used for all packets between the source and destination address pair, even if GTP-U with dynamic source ports changes the source port.

    If FortiOS is processing large numbers of GTP-U sessions, enabling this feature can reduce the number of sessions that FortiOS maintains, saving memory and potentially improving performance. As well, this feature can save CPU resources because the first packet received with a new source port but the same source and destination address can be offloaded by NP7 processors, instead of being sent to the CPU to establish a new session.

    Use the following command to enable or disable support for GTP-U with dynamic source ports:

    config system global

    set gtpu-dynamic-source-port {enable | disable}

    end

    This option is disabled by default.

    After enabling gtpu-dynamic-source-port, the first two GTP-U packets from a source and destination address pair are processed by the CPU and the GTP-U session is set up. If the session is bi-directional, the first two packets in each direction (for a total of four) are processed by the CPU. All other packets with the same source and destination address are offloaded to NP7 processors, including packets with different source ports.

    Note

    This feature is available on on standard FortiOS and FortiOS Carrier. This feature requires a FortiGate with NP7 processors. GTP-U and GTP-C sessions helpers must be enabled. You must have configured a firewall policy to accept GTP traffic and that policy must include a GTP profile. This feature is not affected by the gtp-support and gtp-enhanced-mode configuration.

    config system npu

    set gtp-support {disable | enable}

    set gtp-enhanced-mode {disable | enable}

    end
    Previous
    Next

    Enabling support for GTP-U with dynamic source ports

    Enabling support for GTP-U with dynamic source ports

    If your network is using GTP-U with dynamic source ports, FortiOS can receive multiple GTP-U sessions with the same source and destination addresses but different source ports. By default, FortiOS adds a new session to its session table for each source port; (or two sessions for bi-directional traffic) resulting the need to maintain multiple sessions for traffic with the same source and destination address. Each session uses additional system memory. If FortiOS is processing large numbers of GTP-U sessions with dynamic source ports, the system may have to maintain a large number of sessions, potentially using a large amount of memory. As well, the first packets of each new session are sent to the CPU. Once the session is established, the sessions are offloaded to NP6 or NP7 processors.

    With GTP-U with dynamic source port support enabled, FortiOS on FortiGates with NP7 processors creates one session for each source and destination address pair (or two sessions for bi-directional traffic). These sessions are used for all packets between the source and destination address pair, even if GTP-U with dynamic source ports changes the source port.

    If FortiOS is processing large numbers of GTP-U sessions, enabling this feature can reduce the number of sessions that FortiOS maintains, saving memory and potentially improving performance. As well, this feature can save CPU resources because the first packet received with a new source port but the same source and destination address can be offloaded by NP7 processors, instead of being sent to the CPU to establish a new session.

    Use the following command to enable or disable support for GTP-U with dynamic source ports:

    config system global

    set gtpu-dynamic-source-port {enable | disable}

    end

    This option is disabled by default.

    After enabling gtpu-dynamic-source-port, the first two GTP-U packets from a source and destination address pair are processed by the CPU and the GTP-U session is set up. If the session is bi-directional, the first two packets in each direction (for a total of four) are processed by the CPU. All other packets with the same source and destination address are offloaded to NP7 processors, including packets with different source ports.

    Note

    This feature is available on on standard FortiOS and FortiOS Carrier. This feature requires a FortiGate with NP7 processors. GTP-U and GTP-C sessions helpers must be enabled. You must have configured a firewall policy to accept GTP traffic and that policy must include a GTP profile. This feature is not affected by the gtp-support and gtp-enhanced-mode configuration.

    config system npu

    set gtp-support {disable | enable}

    set gtp-enhanced-mode {disable | enable}

    end
    Previous
    Next