Enterprise Firewall

Hardware Acceleration

FortiOS 7.2
© Copyright Fortinet Inc. All rights reserved. LastLast
Modified:
Modified:
January
January
23, 23,
20242024
Objectives
• Describe the architecture of hardware offload on FortiGate
• Explain NP7, NP6, NTurbo, SoC4, and CP9 processors and their features
• Describe how traffic is offloaded from kernel to NP
• Describe the limitations of offloading the traffic
• Configure hardware acceleration

© Fortinet Inc. All Rights Reserved. 2

Hardware Offload Architecture

3
Security Processing Unit

Security processing unit

CPU

Network processor Content processor

Offloads networking Offloads security
functions functions

© Fortinet Inc. All Rights Reserved. 4

Network Processor
• Hardware-based network security platform
• Offers performance, scalability, and
management simplicity
• Works at the interface level
• Accelerates traffic by offloading traffic from
CPU
• Current Fortinet NP models are:
• NP7
• NP6
• NP6XLite
• NP6Lite

© Fortinet Inc. All Rights Reserved. 5

Content Processor
• A component of a FortiGate device
• Accelerates common resource-intensive
security-related processes
• Works at the system level and receives
offloaded tasks from the CPU
• Security tasks accelerated are offloaded to the
CP based on the assignment of CPU tasks
• Current Fortinet CP models are:
• CP9
• CP9XLite
• CP9Lite

© Fortinet Inc. All Rights Reserved. 6

NP Direct Architecture
• Available on FortiGate devices that have two or
more NP6 processors
• Hardware architecture that has a FortiASIC
network processor directly connected to the
interfaces
• Reduces forwarding latency
• Eliminates ISF
• Physical topology must ensure that all traffic
passes through the offloaded interfaces of one
NP6 processor

© Fortinet Inc. All Rights Reserved. 7

Processor Features

8
NP7 Processor
• 1 channel of 8 PCIe host interfaces
• Maximum 200 Gbps forwarding throughput
• Two 100-Gbps interfaces
• Accelerated session setup and logging
• Hyperscale services
• License required for high-end devices
• GCNAT and hardware logging support
• Volumetric DDoS protection
• IPsec VPN improvement
• Higher throughput
• Suite B IPsec acceleration with ESN support
• GTP load balancing

© Fortinet Inc. All Rights Reserved. 9

NP6 Processor
• Available in two versions:
• Four 10-Gbps connections
• Three 10-Gbps and 16 1-Gbps connections
 Provides bandwidth and connectivity to the
CPU to achieve improved CP direct support for
the latest Intel chip
 Supports the latest multicore CPU
 Adds stronger support for IPsec cryptography

© Fortinet Inc. All Rights Reserved. 10

NTurbo Processor
• The NTurbo processor offloads traffic inspected by the security profiles in flow-based
mode
• The NP cannot offload traffic inspected by the security profiles
• The FortiOS kernel runs the NTurbo driver to handle incoming traffic
• The NTurbo processor runs on a dedicated CPU and is not shared with other tasks
• The NTurbo processor receives packets from the ISF through the CPU and NP
• For a new session, the NTurbo processor sends packets to the IPS engine
• The IPS engine processes the required security action
• The IPS engine then sends the packet back to the NTurbo processor
• The NTurbo processor continues to send processed packets back to the NP and then to
the ISF

© Fortinet Inc. All Rights Reserved. 11

SoC4 Processor
• Integrates the following components in one
chip:
• CPU
• NP6XLite
• CP9XLite
• Available on some entry-level FortiGate
devices
• Does not require binding interfaces to specific
NPs
• Accelerates all sessions

© Fortinet Inc. All Rights Reserved. 12

CP9 Processor
• Offloads tasks and performs hardware
encryption
• Performance enhancement dependent on CPU
architecture and speed
• Supports content processing in the following
areas:
• VPN
• SSL offloading
• Flow-based UTM
• Improves dynamic signatures and hashes on
AV
• Allows configurable TTTD

© Fortinet Inc. All Rights Reserved. 13

Traffic Offload

14
NP Offloading Packet Flow
• The NP alters traffic when offloading packets
• The packets initiating a session pass to the CPU
• FortiGate verifies if the packets matches session offloading requirements
• The requirements depend on the type of NP
• The assessment determines only whether to fast-path packets
• If the packets meet requirements, the session key or IPsec SA pass to the NP
• The NP continues to match packets on ingress ports
• The NP accepts packets, or drops them if further anomaly checks are required
• IPS anomaly checks are separate from the NP checks
• The NP checks the session key or IPsec SA
• If it finds a match, packet acceleration continues, and the NP offloads the packets from the FortiGate
CPU
• If the session doesn't match or meet requirements, the NP cannot offload it and sends
the packets to the FortiGate CPU

© Fortinet Inc. All Rights Reserved. 15

NP Offloading Packet Flow (Contd)

Traffic Packet arrives

arrives at at NP interface
FortiGate

No Yes Matches a Yes

Has Fast-path Packet fast-
session
anomalies? compatible? pathed
key or SA?

Yes No No

Discard Send to CPU

© Fortinet Inc. All Rights Reserved. 16

NP Offload Session Flow
• The FortiGate CPU always processes the first First session setup

part of traffic:
• TCP traffic: the first three-way handshake
CPU
• UDP traffic: the first packet
• The CPU accelerates and offloads the rest of
the traffic PCI bus

SYN/ACK

Data

Data
SYN

ACK
© Fortinet Inc. All Rights Reserved. 17
Traffic Offload Limitations

18
NP7 Processor—Sessions Limits
• The NP7 processor supports a maximum of 12 million sessions
• If it exceeds the maximum, the processor does not offload further new traffic and the
main CPU takes control
• To prevent this issue, distribute incoming sessions evenly among available NP7
processors

© Fortinet Inc. All Rights Reserved. 19

NP7 Processor—Supported Traffic Protocols
• The NP7 processor accelerates the following list of protocols:

Name Protocol
TCP Transmission control protocol
UDP User datagram protocol
These protocols are
IP-in-IP IPv4 IP-in-IP encapsulation accelerated only in
pass-through mode
ICMP Internet control message protocol
RDP Reliable data protocol
IPv6 IPv6 encapsulation
GRE Generic routing encapsulation
ESP Encapsulating security payload
ETHERIP or EoIP Ethernet over IP
SCTP Stream control transmission protocol

© Fortinet Inc. All Rights Reserved. 20

NP7 Processor—Supported Tunneling Protocols
• The NP7 processor offloads the following list of tunneling protocols:

Name Protocol
ESP used for IPsec VPN IPsec VPN tunneling
CAPWAP Communication between wireless
access points and wired LANs or
between different wireless access
points
VXLAN VXLAN and VXLAN over IPsec.
Provides secure communication
between data centers over public
networks

© Fortinet Inc. All Rights Reserved. 21

CP9 Processor—Limitation
• The CP9 processor does not accelerate security inspection on unencrypted IPsec traffic
on FortiGate
• For example, IPsec VPN using phase1 proposal AES-GMAC
• Use the CLI to configure and IPsec phase1 proposals with supported proposals

© Fortinet Inc. All Rights Reserved. 22

Configure Hardware Acceleration

23
Strict Header Checking
• You can disable hardware acceleration to enforce header checking
• check-protocol-header strict disables all NPs and CPs
config system global
set check-protocol-header [loose|strict]
end

• Header checking looks at the following header parameters:

• L4 header length
• IP header length
• IP version
• IP checksum
• IP options
• ESP and SPI correct values
• Data length

© Fortinet Inc. All Rights Reserved. 24

 CPU Interface Binding
• Port CPU mapping
• Enable NTurbo and IPSA
config system npu
config port-cpu-map
edit <interface>
set cpu-core {string}
next
end
end

© Fortinet Inc. All Rights Reserved. 25

 NTurbo and IPSA
• Configure NTurbo and IPSA acceleration for firewall policy sessions:
• Firewall policy with security profiles enabled
• Firewall policy with flow-based inspection mode
Acceleration mode for
• Set NTurbo and IPSA modes IPS processing

config ips global

set np-accel-mode {none | basic}
set cp-accel-mode {none | basic | advanced} Set it to advanced to
offload more pattern
end matching

• Disable NTurbo on a firewall policy for testing purposes

config firewall policy
edit <policy_id>
set np-acceleration {disable | enable}
end

© Fortinet Inc. All Rights Reserved. 26

IPsec Diffie-Hellman Offloading
• FortiGate accelerates the Diffie-Hellman key exchange for IPsec traffic
• If issues arise with IPsec ESP traffic, you can disable ASIC offloading using the following
command:
config system global
set ipsec-asic-offload disable
end

• By default, FortiGate uses Diffie-Hellman for hardware offloading to accelerate IPsec

traffic

© Fortinet Inc. All Rights Reserved. 27

Determine SPU information
• To check the NP model available on FortiGate:
# diagnose hardware lspci | grep 1a29
... 1a29 is the vendor ID
9b:00.0 Class 1000: Device 1a29:NPID for Fortinet
• If NPID is 4e36, it is NP6
• If NPID is 4e37, it is NP7
• To determine the CP model available on FortiGate:
# get hardware status
Model name: FortiGate-100D ASIC version represents
ASIC version: CP8 CP version available on
... FortiGate

© Fortinet Inc. All Rights Reserved. 28

Review
 Describe the architecture of hardware offload on FortiGate
 Explain the NP7, NP6, NTurbo, SoC4, and CP9 processors and their
features
 Describe how traffic is offloaded from kernel to NP
 Describe the limitations of offloading the traffic
 Configure hardware acceleration

© Fortinet Inc. All Rights Reserved. 29