Hardware acceleration (5.6.1)

Hardware acceleration (5.6)

New hardware acceleration features added to FortiOS 5.6.1.

IPsec session ESP padding and NP6 acceleration (416950)

In some situations when ESP packets in IPsec sessions have large amounts of layer 2 padding the NP6 IPsec engine may not be able to process them and the session may be blocked.

The following CLI option has been added to cause the NP6 processor to strip the ESP padding before send the packets to the IPsec engine. With padding stripped, the session can be processed normally by the IPsec engine.

Use the following command to strip ESP padding:

config system npu set strip-esp-padding enable

end

This stripping ESP padding is disabled by default. If you notice that offloaded IPsec sessions are failing you can enable this option and see if the problem is resolved.

Hardware acceleration (5.6)

New hardware acceleration features added to FortiOS 5.6.

Improved visibility of SPU and nTurbo hardware acceleration (389711)

All hardware acceleration hardware has been renamed Security Professing Units (SPUs). This includes NPx and CPx processors.

SPU and nTurbo data is now visible in a number of places on the GUI. For example, the Active Sessions column pop-up in the firewall policy list and the Sessions dashboard widget:

Hardware acceleration (5.6)

You can also add SPU filters to many FortiView pages.

NP4Lite option to disable offloading ICMP traffic in IPsec tunnels (383939)

In some cases ICMP traffic in IPsec VPN tunnels may be dropped by the NP4Lite processor due to a bug with the NP4Lite firmware. You can use the following command to avoid this problem by preventing the NP4Lite processor from offloading ICMP sessions in IPsec VPN tunnels. This command is only available on FortiGate models with NP4Lite processors, such as the FortiGate/FortiWiFi-60D.

config system npu set process-icmp-by-host {disable | enable}

end

The option is disabled by default an all ICMP traffic in IPsec VPN tunnels is offloaded where possible. If you are noticing that ICMP packets in IPsec VPN tunnels are being dropped you can disable this option and have all ICMP traffic processed by the CPU and not offloaded to the NP4Lite.

NP6 IPv4 invalid checksum anomaly checking (387675)

The following new options have been added to NP6 processors to check for IPv4 checksum errors in IPv4, TCP, UDP, and ICMP packets:

config system np6 edit {np6_0 | np6_1| …} config fp-anomaly-v4 set ipv4-csum-err {drop | trap-to-host} set tcp-csum-err {drop | trap-to-host} set udp-csum-err {drop | trap-to-host} set icmp-csum-err {drop | trap-to-host}

end

You can use the new options to either drop packets with checksum errors (the default) or send them to the CPU for processing. Normally you would want to drop these packets.

 

High Availability (5.6.1)

This entry was posted in FortiOS 5.6 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.