NP6 session accounting enabled when traffic logging is enabled in a firewall policy (268426)
By default, on a FortiGate unit with NP6 processors, when you enable traffic logging in a firewall policy this also enables NP6 per-session accounting. If you disable traffic logging this also disables NP6 per-session accounting. This behavior can be changed using the following command:
config system np6
edit np6_0
set per-session-accounting {disable | all-enable | enable-by-log}
end
By default, per-session-accounting is set to enable-by-log, which results in per-session accounting being turned on when you enable traffic logging in a policy. You can disable per-session accounting or set all- enable to enable per-session accounting whether or not traffic logging is enabled. Note that this configuration is set separately for each NP6 processor.
When offloaded sessions appear on the FortiView All Sessions console they include an icon identifying them as NP sessions:
You can hover over the NP icon to see some information about the offloaded sessions.
Determining why a session is not offloaded (245447)
You can use the diagnose sys session list command to get information about why a session has not been offloaded to an NP4 or NP6 processor.
If a session has not been offloaded the session information displayed by the command includes no_ofld_ reason followed by information to help you determine the cause. To take a simple example, an HTTPS session connecting to the GUI could have a field similar to no_ofld_reason: local. This means the session is a local session that is not offloaded.
The no_ofld_reason field only appears if the session is not offloaded and includes information to help determine why the session is not offloaded. For example,
no_ofld_reason: redir-to-av redir-to-ips non-npu-intf Indicates that the session is not offloaded because it was redirected to virus scanning (redir-to-av), IPS (redir-to-ips), and so on.
IPsec pass-through traffic is now offloaded to NP6 processors (253221)
IPsec traffic that passes through a FortiGate without being unencrypted is now be offloaded to NP6 processors.
Disabling offloading IPsec Diffie-Hellman key exchange (269555)
You can use the following command to disable using ASIC offloading to accelerate IPsec Diffie-Hellman key exchange for IPsec ESP traffic. By default hardware offloading is used. For debugging purposes or other reasons you may want this function to be processed by software.
Use the following command to disable using ASIC offloading for IPsec Diffie Hellman key exchange:
config system global
set ipsec-asic-offload disable end