Example

You could configure the offloading of encryption and decryption for an IPsec SA that was sent to the network processor.

config system npu

set enc-offload-antireplay enable set dec-offload-antireplay enable set offload-ipsec-host enable

end

 

Disabling NP acceleration for individual IPsec VPN phase 1s

Use the following command to disable NP offloading for an interface-based IPsec VPN phase 1:

config vpn ipsec phase1-interface edit phase-1-name

set npu-offload disable

end

Use the following command to disable NP offloading for a policy-based IPsec VPN phase 1:

 

config vpn ipsec phase1 edit phase-1-name

set npu-offload disable

end

The npu-offload option is enabled by default.

 

Disabling NP offloading for unsupported IPsec encryption or authentication algorithms

In general, more recent IPsec VPN encryption and authentication algorithms may not be supported by older NP processors. For example, NP4 network processors do not support SHA-256, SHA-384, and SHA-512. IPsec traffic with unsupported algorithms is not offloaded and instead is processed by the FortiGate CPU. In addition, this configuration may cause packet loss and other performance issues. If you experience packet loss or performance problems you should set the  npu-offload option to disable. Future FortiOS versions should prevent selecting algorithms not supported by the hardware.

 

Disabling NP offloading for firewall policies

Use the following options to disable NP offloading for specific security policies: For IPv4 security policies.

config firewall policy

edit 1

set auto-asic-offload disable end

For IPv6 security policies.

 

config firewall policy6 edit 1

set auto-asic-offload disable end

For multicast security policies.

 

config firewall multicast-policy edit 1

set auto-asic-offload disable end