Hardware acceleration
NP6 diagnose commands and get command changes (288738)
You can use the get hardware npu np6 command to display information about the NP6 processors in your FortiGate and the sessions they are processing. This command contains a subset of the options available from the diagnose npu np6 command. The command syntax is:
get hardware npu np6 {dce <np6-id> | ipsec-stats | port-list | session-stats <np6-id> |
sse-stats <np6-id> | synproxy-stats}
<np6-id> identifies the NP6 processor. 0 is np6_0, 1 is np6_1 and so on. dce show NP6 non-zero sub-engine drop counters for the selected NP6. ipsec-stats show overall NP6 IPsec offloading statistics.
port-list show the mapping between the FortiGate’s physical ports and its NP6 processors.
session-stats show NP6 session offloading statistics counters for the selected NP6.
sse-stats show hardware session statistics counters.
synproxy-stats show overall NP6 synproxy statistics for TCP connections identified as being syn proxy DoS attacks.
NP6 session accounting enabled when traffic logging is enabled in a firewall policy (268426)
By default, on a FortiGate unit with NP6 processors, when you enable traffic logging in a firewall policy this also enables NP6 per-session accounting. If you disable traffic logging this also disables NP6 per-session accounting. This behavior can be changed using the following command:
config system np6 edit np6_0
set per-session-accounting {disable | all-enable | enable-by-log}
end
By default, per-session-accounting is set to enable-by-log, which results in per-session accounting being turned on when you enable traffic logging in a policy. You can disable per-session accounting or set all- enable to enable per-session accounting whether or not traffic logging is enabled. Note that this configuration is set separately for each NP6 processor.
When offloaded sessions appear on the FortiView All Sessions console they include an icon identifying them as
NP sessions:
You can hover over the NP icon to see some information about the offloaded sessions.
Determining why a session is not offloaded (245447)
You can use the diagnose sys session list command to get information about why a session has not been offloaded to an NP4 or NP6 processor.
If a session has not been offloaded the session information displayed by the command includes no_ofld_ reason followed by information to help you determine the cause. To take a simple example, an HTTPS session connecting to the GUI could have a field similar to no_ofld_reason: local. This means the session is a local session that is not offloaded.
The no_ofld_reason field only appears if the session is not offloaded and includes information to help determine why the session is not offloaded. For example,
no_ofld_reason: redir-to-av redir-to-ips non-npu-intf
Indicates that the session is not offloaded because it was redirected to virus scanning (redir-to-av), IPS (redir-to-ips), and so on.
IPsec pass-through traffic is now offloaded to NP6 processors (253221)
IPsec traffic that passes through a FortiGate without being unencrypted is now be offloaded to NP6 processors.
Disabling offloading IPsec Diffie-Hellman key exchange (269555)
You can use the following command to disable using ASIC offloading to accelerate IPsec Diffie-Hellman key exchange for IPsec ESP traffic. By default hardware offloading is used. For debugging purposes or other reasons you may want this function to be processed by software.
Use the following command to disable using ASIC offloading for IPsec Diffie Hellman key exchange:
config system global
set ipsec-asic-offload disable end
FortiGate–3700DX TP2 processors support GTP offloading (294212)
The FortiGate-3700DX contains two TP2 processors that provide GTP offloading. GTPu traffic is forwarded from NP6 processors to TP2 processors. The TP2 processors filter the encapsulated traffic and send the approved GTPu traffic back to the NP6.