NP6 session fast path requirements
NP6 processors can offload the following traffic and services:
• IPv4 and IPv6 traffic and NAT64 and NAT46 traffic (as well as IPv4 and IPv6 versions of the following traffic types where appropriate)
• TCP, UDP, ICMP and SCTP traffic
• IPSec VPN traffic, and offloading of IPsec encryption/decryption (including SHA2-256 and SHA2-512)
• Anomaly-based intrusion prevention, checksum offload and packet defragmentation
• SIT and IPv6 Tunnelling sessions
• Multicast traffic (including Multicast over IPsec)
• CAPWAP and wireless bridge traffic tunnel encapsulation to enable line rate wireless forwarding from FortiAP devices
• Traffic shaping and priority queuing for both shared and per IP traffic shaping. An NP6 processor has 16 million queues for traffic shaping and statistics counting.
• Syn proxying
• Inter-VDOM link traffic
Sessions that are offloaded must be fast path ready. For a session to be fast path ready it must meet the following criteria:
• Layer 2 type/length must be 0x0800 for IPv4 or 0x86dd for IPv6 (IEEE 802.1q VLAN specification is supported)
• Link aggregation between any network interfaces sharing the same network processor(s) may be used (IEEE 802.3ad specification is supported)
• Layer 3 protocol can be IPv4 or IPv6
• Layer 4 protocol can be UDP, TCP, ICMP, or SCTP
• In most cases, Layer 3 / Layer 4 header or content modification sessions that require a session helper can be offloaded.
• Local host traffic (originated by the FortiGate unit) can be offloaded
• Application layer content modification is not supported (the firewall policy that accepts the session must not include virus scanning, web filtering, DLP, application control, IPS, email filtering, SSL/SSH inspection, VoIP or ICAP)
| If you disable anomaly checks by Intrusion Prevention (IPS), you can still enable hardware accelerated anomaly checks using the fp-anomaly field of the config system interface CLI command. See “Offloading NP pre-IPS anomaly detection”. |
If a session or is not fast path ready, the FortiGate unit will not send the session key or IPsec SA key to the NP6 processor. Without the session key, all session key lookup by a network processor for incoming packets of that session fails, causing all session packets to be sent to the FortiGate unit’s main processing resources, and processed at normal speeds.
If a session is fast path ready, the FortiGate unit will send the session key or IPsec SA key to the network processor. Session key or IPsec SA key lookups then succeed for subsequent packets from the known session or IPsec SA.