Chapter 12 – Hardware Acceleration

Leave a reply

Disabling offloading IPsec Diffie-Hellman key exchange

You can use the following command to disable using ASIC offloading to accelerate IPsec Diffie-Hellman key exchange for IPsec ESP traffic. By default hardware offloading is used. For debugging purposes or other reasons you may want this function to be processed by software.

Use the following command to disable using ASIC offloading for IPsec Diffie Hellman key exchange:

config system global

set ipsec-asic-offload disable end

 

Configuring individual NP6 processors

You can use the config system np6 command to configure a wide range of settings for the NP6 processors in your FortiGate unit including enabling/disabling fastpath and low latency, enabling session accounting and adjusting session timeouts. As well you can set anomaly checking for IPv4 and IPv6 traffic. You can also configure different settings for each NP6 processor.

The settings that you configure for an NP6 processor with the config system np6 command apply to traffic processed by all interfaces connected to that NP6 processor. This includes the physical interfaces connected to the NP6 processor as well as all subinterfaces, VLAN interfaces, IPsec interfaces, LAGs and so on associated with the physical interfaces connected to the NP6 processor.

Some of the options for this command apply anomaly checking for NP6 sessions in the same way as the command described in Offloading NP4 anomaly detection on page 1270 applies anomaly checking for for NP4 sessions.

 

config system np6

edit <np6-processor-name>

set fastpath {disable | enable}

set low-latency-mode {disable | enable}

set per-session-accounting {all-enable | disable | enable-by-log}

set session-timeout-random-range <range>

set garbage-session-collector {disable | enable}

set session-collector-interval <range>

set session-timeout-interval <range>

set session-timeout-random-range <range>

set session-timeout-fixed {disable | enable}

config fp-anomaly-v4

set icmp-frag {allow | drop | trap-to-host} set icmp-land {allow | drop | trap-to-host} set ipv4-land {allow | drop | trap-to-host}

set ipv4-optlsrr {allow | drop | trap-to-host}

set ipv4-optrr {allow | drop | trap-to-host}

set ipv4-optsecurity {allow | drop | trap-to-host}

set ipv4-optssrr {allow | drop | trap-to-host}

set ipv4-optstream {allow | drop | trap-to-host}

set ipv4-opttimestamp {allow | drop | trap-to-host}

set ipv4-proto-err {allow | drop | trap-to-host} set ipv4-unknopt {allow | drop | trap-to-host} set tcp-land {allow | drop | trap-to-host}

set tcp-syn-fin {allow | drop | trap-to-host} set tcp-winnuke {allow | drop | trap-to-host} set tcp_fin_noack {allow | drop | trap-to-host} set tcp_fin_only {allow | drop | trap-to-host} set tcp_no_flag {allow | drop | trap-to-host} set tcp_syn_data {allow | drop | trap-to-host} set udp-land {allow | drop | trap-to-host}

end

config fp-anomaly-v6

set ipv6-daddr_err {allow | drop | trap-to-host}

set ipv6-land {allow | drop | trap-to-host}

set ipv6-optendpid {allow | drop | trap-to-host}

set ipv6-opthomeaddr {allow | drop | trap-to-host}

set ipv6-optinvld {allow | drop | trap-to-host} set ipv6-optjumbo {allow | drop | trap-to-host} set ipv6-optnsap {allow | drop | trap-to-host} set ipv6-optralert {allow | drop | trap-to-host} set ipv6-opttunnel {allow | drop | trap-to-host} set ipv6-proto-err {allow | drop | trap-to-host} set ipv6-saddr_err {allow | drop | trap-to-host} set ipv6-unknopt {allow | drop | trap-to-host}

end

Command syntax

Command                                        Description                                                               Default

fastpath {disable |

enable}

Enable fastpath acceleration to offload sessions to the NP6 processor. You can disable fastpath if you don’t want the NP6 processor to offload sessions.

enable

low-latency-mode {disable

| enable}

Enable low-latency mode. In low latency mode the integrated switch fabric is bypassed. Low latency mode requires that packet enter and exit using the same NP6 processor. This option is only available for NP6 processors that can operate in low-latency mode, currently only np6_0 and np6_1 on the FortiGate-3700D and DX.

disable

per-session-accounting

{all-enable | disable |

enable-by-log}

Disable NP6 per-session accounting or enable it and control how it works. If set to enable-by-log (the default) NP6 per-session accounting is only enabled if firewall policies accepting offloaded traffic have traffic logging enabled. If set the all-enable, NP6

per-session accounting is always enabled for all traffic offloaded by the NP6 processor.

enable-by-log

garbage-session-collector

{disable | enable}

Enabling per-session accounting can affect per- formance.

Enable deleting expired or garbage sessions.                disable

session-collector-inter- val <range>

session-timeout-interval

<range>

Set the expired or garbage session collector time          8 interval in seconds. The range is 1 to 100 seconds.

Set the timeout for inactive sessions. The range is 0     40 to 1000 seconds.

session-timeout-random- range <range>

Set the random timeout for inactive sessions. The        8 range is 0 to 1000 seconds.

 

 

Command                                        Description                                                               Default

session-timeout-fixed

{disable | enable}

Force session timeouts at fixed instead of random intervals.

disable

 

Pages: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.