NP6 network processors provide fastpath acceleration by offloading communication sessions from the FortiGate CPU. When the first packet of a new session is received by an interface connected to an NP6 processor, just like any session connecting with any FortiGate interface, the session is forwarded to the FortiGate CPU where it is matched with a security policy. If the session is accepted by a security policy and if the session can be offloaded its session key is copied to the NP6 processor that received the packet. All of the rest of the packets in the session are intercepted by the NP6 processor and fast-pathed out of the FortiGate unit to their destination without ever passing through the FortiGate CPU. The result is enhanced network performance provided by the NP6 processor plus the network processing load is removed from the CPU. In addition the NP6 processor can handle some CPU intensive tasks, like IPsec VPN encryption/decryption.

Session keys (and IPsec SA keys) are stored in the memory of the NP6 processor that is connected to the interface that received the packet that started the session. All sessions are fast-pathed and accelerated, even if they exit the FortiGate unit through an interface connected to another NP6. There is no dependence on getting the right pair of interfaces since the offloading is done by the receiving NP6. The key to making this possible is the Integrated Switch Fabric (ISF) that connects the NP6s and the FortiGate unit interfaces together. The ISF allows any port connectivity. All ports and NP6s can communicate with each other over the ISF.

There are no special ingress and egress fast path requirements as long as traffic enters and exits on interfaces connected to the same ISF and the NP6 processors. All FortiGate models with NP6 processors connect all interfaces and NP6 processors to the same ISF (except management interfaces) so this should not ever be a problem.

There are at least two limitations to keep in mind:

This chapter contains the following topics: