Chapter 12 – Hardware Acceleration

FortiGate3700DX TP2 processors support GTP offloading (294212)

The FortiGate-3700DX contains two TP2 processors that provide GTP offloading. GTPu traffic is forwarded from NP6 processors to TP2 processors. The TP2 processors filter the encapsulated traffic and send the approved GTPu traffic back to the NP6.

 

Hardware acceleration overview

Most FortiGate models have specialized acceleration hardware that can offload resource intensive processing from main processing (CPU) resources. Most FortiGate units include specialized content processors (CPs) that accelerate a wide range of important security processes such as virus scanning, attack detection, encryption and decryption. (Only selected entry-level FortiGate models do not include a CP processor.) Many FortiGate models also contain security processors (SPs) that accelerate processing for specific security features such as IPS and network processors (NPs) that offload processing of high volume network traffic.

 

 

Content processors (CP4, CP5, CP6, CP8, and CP9)

Most FortiGate models contain FortiASIC Content Processors (CPs) that accelerate many common resource intensive security related processes. CPs work at the system level with tasks being offloaded to them as determined by the main CPU. Capabilities of the CPs vary by model. Newer FortiGate units include CP8 and CP9 processors. Older CP versions still in use in currently operating FortiGate models include the CP4, CP5, and CP6.

 

CP9 capabilities

The CP9 content processor provides the following services:

  • Flow-based inspection (IPS, application control etc.) pattern matching acceleration with over 10Gbps throughput
  • IPS pre-scan
  • IPS signature correlation
  • Full match processors
  • High performance VPN bulk data engine
  • IPsec and SSL/TLS protocol processor
  • DES/3DES/AES128/192/256 in accordance with FIPS46-3/FIPS81/FIPS197 l  MD5/SHA-1/SHA256/384/512-96/128/192/256 with RFC1321 and FIPS180 l      HMAC in accordance with RFC2104/2403/2404 and FIPS198
  • ESN mode
  • GCM support for NSA “Suite B” (RFC6379/RFC6460) including GCM-128/256; GMAC-128/256
  • Key Exchange Processor that supports high performance IKE and RSA computation
  • Public key exponentiation engine with hardware CRT support
  • Primary checking for RSA key generation
  • Handshake accelerator with automatic key material generation
  • True Random Number generator
  • Elliptic Curve support for NSA “Suite B”
  • Sub public key engine (PKCE) to support up to 4096 bit operation directly (4k for DH and 8k for RSA with CRT)
  • DLP fingerprint support
  • TTTD (Two-Thresholds-Two-Divisors) content chunking
  • Two thresholds and two divisors are configurable

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.