Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY 8.0.0
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    Hardware Acceleration

    Home FortiGate / FortiOS 8.0.0 Hardware Acceleration
    8.0.0
    8.0.0
    7.6.6
    7.6.5
    7.6.4
    7.6.3
    7.6.2
    7.6.1
    7.6.0
    7.4.11
    7.4.10
    7.4.9
    7.4.8
    7.4.7
    7.4.6
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.13
    7.2.12
    7.2.11
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.19
    7.0.18
    7.0.17
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.1
    7.0.0
    6.4.16
    6.2.17
    6.0.18
    6.0.17
    6.0.16
    6.0.15
    6.0.14
    5.6.0

    What's new for FortiOS 8.0.0

    What's new for FortiOS 8.0.0

    This section lists the new hardware acceleration features added to FortiOS 8.0.0:

    • L3/L4 header-based hashing for NP7-offloaded GRE tunnels, see L3/L4 header-based hashing for NP7-offloaded GRE tunnels.

    • ECMP hashing of NP7-offloaded GRE tunnels, see Support for ECMP hashing of NP7-offloaded GRE tunnels .

    • NP7 offloading of TCP and UDP sessions denied by firewall policies to reduce CPU usage, see NP7 offloading of TCP and UDP sessions denied by a firewall policy to reduce CPU usage.

    • NP7 VXLAN MAC flapping protection, see Enabling VXLAN MAC flapping protection.

    • NP7 traffic anomaly protection for TCP, UDP, and ICMP checksum error detection now includes the allow option to allow TCP, UDP, and ICMP packets with incorrect checksums, see config fp-anomaly.

      config system npu

      config fp-anomaly

      set tcp-csum-err {allow | drop | trap-to-host}

      set udp-csum-err {allow | drop | trap-to-host}

      set icmp-csum-err {allow | drop | trap-to-host}

      end

    • The NP7 session accounting interval range is now 1 to 600 seconds. Increase the per-session accounting interval to reduce bandwidth usage. See Changing the per-session accounting interval.

      config system npu

      set session-acct-interval <seconds>

      end

    • New options to control the bandwidth allowed for traffic flow between NP7 processors and the internal switch fabric (ISF). In some high-traffic configurations, limiting this bandwidth can improve performance, for example by reducing DSW drops and ReasmFails.

      config system npu

      set sw-np-rate <rate>

      set sw-np-rate-unit {mbps | pps}

      set sw-np-rate-burst <burst-rate}

      end

      For more information, see NP7 to ISF bandwidth control.

    • The default setting for vlan-lookup-cache has been changed to disable, see vlan-lookup-cache {disable | enable}.

      config system npu

      set vlan-lookup-cache {disable | enable}

      end

    • Dynamic shaping profiles are supported for traffic offloaded by NP7 or NP7Lite (SoC5) processors. This feature allows traffic control policies to be applied per user based on authentication details and bandwidth parameters from the RADIUS server. For more information, see Traffic shaping based on dynamic RADIUS VSAs.

    • Changes to outbandwidth or egress shaping profiles on a physical or VLAN interface do not take effect for IPsec tunnels or sessions that are already established and offloaded by NP7 or NP7Lite (SoC5) processors. To apply the updated egress shaping settings, you must manually flush or reinstall the affected IPsec SAs and clear any offloaded sessions. Doing this rebuilds the IPsec tunnel and associated sessions using the new interface shaping configuration. You can configure FortiGates with NP7Lite (SoC5) processors to automatically flush or reinstall the affected IPsec SAs and clear any offloaded sessions after changing the configuration of an outbandwidth or egress shaping profile, see Automatic NP7Lite (SOC5) egress shaping profile refresh.

    • The FortiGate 120G and 121G port17 to port24 interfaces can be configured to operate at 100Mbps, see Changing the speed of the port17 to port24 interfaces.

    Previous
    Next

    What's new for FortiOS 8.0.0

    What's new for FortiOS 8.0.0

    This section lists the new hardware acceleration features added to FortiOS 8.0.0:

    • L3/L4 header-based hashing for NP7-offloaded GRE tunnels, see L3/L4 header-based hashing for NP7-offloaded GRE tunnels.

    • ECMP hashing of NP7-offloaded GRE tunnels, see Support for ECMP hashing of NP7-offloaded GRE tunnels .

    • NP7 offloading of TCP and UDP sessions denied by firewall policies to reduce CPU usage, see NP7 offloading of TCP and UDP sessions denied by a firewall policy to reduce CPU usage.

    • NP7 VXLAN MAC flapping protection, see Enabling VXLAN MAC flapping protection.

    • NP7 traffic anomaly protection for TCP, UDP, and ICMP checksum error detection now includes the allow option to allow TCP, UDP, and ICMP packets with incorrect checksums, see config fp-anomaly.

      config system npu

      config fp-anomaly

      set tcp-csum-err {allow | drop | trap-to-host}

      set udp-csum-err {allow | drop | trap-to-host}

      set icmp-csum-err {allow | drop | trap-to-host}

      end

    • The NP7 session accounting interval range is now 1 to 600 seconds. Increase the per-session accounting interval to reduce bandwidth usage. See Changing the per-session accounting interval.

      config system npu

      set session-acct-interval <seconds>

      end

    • New options to control the bandwidth allowed for traffic flow between NP7 processors and the internal switch fabric (ISF). In some high-traffic configurations, limiting this bandwidth can improve performance, for example by reducing DSW drops and ReasmFails.

      config system npu

      set sw-np-rate <rate>

      set sw-np-rate-unit {mbps | pps}

      set sw-np-rate-burst <burst-rate}

      end

      For more information, see NP7 to ISF bandwidth control.

    • The default setting for vlan-lookup-cache has been changed to disable, see vlan-lookup-cache {disable | enable}.

      config system npu

      set vlan-lookup-cache {disable | enable}

      end

    • Dynamic shaping profiles are supported for traffic offloaded by NP7 or NP7Lite (SoC5) processors. This feature allows traffic control policies to be applied per user based on authentication details and bandwidth parameters from the RADIUS server. For more information, see Traffic shaping based on dynamic RADIUS VSAs.

    • Changes to outbandwidth or egress shaping profiles on a physical or VLAN interface do not take effect for IPsec tunnels or sessions that are already established and offloaded by NP7 or NP7Lite (SoC5) processors. To apply the updated egress shaping settings, you must manually flush or reinstall the affected IPsec SAs and clear any offloaded sessions. Doing this rebuilds the IPsec tunnel and associated sessions using the new interface shaping configuration. You can configure FortiGates with NP7Lite (SoC5) processors to automatically flush or reinstall the affected IPsec SAs and clear any offloaded sessions after changing the configuration of an outbandwidth or egress shaping profile, see Automatic NP7Lite (SOC5) egress shaping profile refresh.

    • The FortiGate 120G and 121G port17 to port24 interfaces can be configured to operate at 100Mbps, see Changing the speed of the port17 to port24 interfaces.

    Previous
    Next