NP4 session fast path requirements

Chapter 8 Hardware Acceleration : NP4 Acceleration : Configuring NP4 traffic offloading : NP4 session fast path requirements

Sessions must be fast path ready. Fast path ready session characteristics are:

• Layer 2 type/length must be 0x0800 (IEEE 802.1q VLAN specification is supported); link aggregation between any network interfaces sharing the same network processor(s) may be used (IEEE 802.3ad specification is supported)

• Layer 3 protocol must be IPv4

• Layer 4 protocol must be UDP, TCP or ICMP

• Layer 3 / Layer 4 header or content modification must not require a session helper (for example, SNAT, DNAT, and TTL reduction are supported, but application layer content modification is not supported)

• Firewall policies must not include proxy-based or flow-based security features (antivirus, web filtering, email filtering, IPS, application control, or DLP)

• Origin must not be local host (the FortiGate unit)


	If you disable anomaly checks by Intrusion Prevention (IPS), you can still enable hardware accelerated anomaly checks using the fp-anomaly field of the config system interface CLI command. See “Offloading NP pre-IPS anomaly detection”.

If a session is not fast path ready, the FortiGate unit will not send the session key to the network processor(s). Without the session key, all session key lookup by a network processor for incoming packets of that session fails, causing all session packets to be sent to the FortiGate unit’s main processing resources, and processed at normal speeds.

If a session is fast path ready, the FortiGate unit will send the session key to the network processor(s). Session key lookup then succeeds for subsequent packets from the known session.