Chapter 12 – Hardware Acceleration

Leave a reply

SP Processing Flow

SP processors provide an integrated high performance fast path multilayer solution for both intrusion protection and firewall functions. The multilayered protection starts from anomaly checking at packet level to ensure each packet is sound and reasonable. Immediately after that, a sophisticated set of interface based packet anomaly protection, DDoS protection, policy based intrusion protection, firewall fast path, and behavior based methods are employed to prevent DDoS attacks from the rest of system.

Then the packets enter an interface/policy based intrusion protection system, where each packet is evaluated against a set of signatures. The end result is streams of user packets that are free of anomaly and attacks, entering the fast path system for unicast or multicast fast path forwarding.

 

SP processing flow

 

Displaying information about security processing modules

You can display information about installed SP modules using the CLI command

diagnose npu spm

For example, for the FortiGate-5101C:

FG-5101C # diagnose npu spm list

Available SP Modules:

ID Model     Slot    Interface

0 xh0        built-in port1, port2, port3, port4, base1, base2, fabric1, fabric2 eth10, eth11, eth12, eth13 eth14, eth15, eth16, eth17

eth18, eth19

You can also use this command to get more info about SP processing. This example shows how to display details about how the module is processing sessions using the syn proxy.

diagnose npu spm dos synproxy <sp_id>

This is a partial output of the command:

Number of proxied TCP connections :                0

Number of working proxied TCP connections :        0

Number of retired TCP connections :                0

Number of valid TCP connections :                  0

Number of attacks, no ACK from client :            0

Number of no SYN-ACK from server :                 0

Number of reset by server (service not supportted): 0

Number of establised session timeout :             0

Client timeout setting :                           3 Seconds

Server timeout setting :                           3 Seconds

 

 

Network processors (NP1, NP2, NP3, NP4 and NP6)

FortiASIC network processors work at the interface level to accelerate traffic by offloading traffic from the main CPU. Current models contain NP4 and NP6 network processors. Older FortiGate models include NP1 network processors (also known as FortiAccel, or FA2) and NP2 network processors.

 

The traffic that can be offloaded, maximum throughput, and number of network interfaces supported by each varies by processor model:

  • NP6 supports offloading of most IPv4 and IPv6 traffic, IPsec VPN encryption, CAPWAP traffic, and multicast traffic.
  • The NP6 has a capacity of 40 Gbps through 4 x 10 Gbps interfaces or 3 x 10 Gbps and 16 x 1 Gbps interfaces. For details about the NP6 processor, see NP6 Acceleration on page 1208 and for information about FortiGate models with NP6 processors, see FortiGate NP6 architectures on page 1221.
  • NP4 supports offloading of most IPv4 firewall traffic and IPsec VPN encryption. The NP4 has a capacity of 20 Gbps through 2 x 10 Gbps interfaces. For details about NP4 processors, see NP4 Acceleration on page 1258 and for information about FortiGate models with NP4 processors, see FortiGate NP4 architectures on page 1273.
  • NP2 supports IPv4 firewall and IPsec VPN acceleration. The NP2 has a capacity of 2 Gbps through 2 x 10 Gbps interfaces or 4 x 1 Gbps interfaces.
  • NP1 supports IPv4 firewall and IPsec VPN acceleration with 2 Gbps capacity. The NP1 has a capacity of 2 Gbps through 2 x 1 Gbps interfaces.
  • The NP1 does not support frames greater than 1500 bytes. If your network uses jumbo frames, you may need to adjust the MTU (Maximum Transmission Unit) of devices connected to NP1 ports. Maximum frame size for NP2, NP4, and NP6 processors is 9216 bytes.
  • For both NP1 and NP2 network processors, ports attached to a network processor cannot be used for firmware installation by TFTP.

Sessions that require proxy-based security features (for example, virus scanning, IPS, application control and so on) are not fast pathed and must be processed by the CPU. Sessions that require flow-based security features can be offloaded to NP4 or NP6 net- work processors if the FortiGate supports NTurbo.

 

Determining the network processors installed on your FortiGate unit

Use either of the following command to list the NP6 processors in your FortiGate unit:

get hardware npu np6 port-list diagnose npu np6 port-list

To list other network processors on your FortiGate unit, use the following CLI command.

get hardware npu <model> list

<model> can be legacy, np1, np2 or np4.

The output lists the interfaces that have the specified processor. For example, for a FortiGate-5001B:

get hardware npu np4 list

ID   Model        Slot      Interface

0    On-board                port1 port2 port3 port4

fabric1 base1 npu0-vlink0 npu0-vlink1

1    On-board                port5 port6 port7 port8

fabric2 base2 npu1-vlink0 npu1-vlink1

The npu0-vlink0, npu1-vlink1 etc interfaces are used for accelerating inter-VDOM links.

Pages: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.