Hardware acceleration get and diagnose commands
This section describes some get
and diagnose
commands you can use to display useful information about the NP6 processors sessions processed by NP6 processors.
get hardware npu np6
You can use the get hardware npu np6
command to display information about the NP6 processors in your FortiGate and the sessions they are processing. This command contains a subset of the options available from the diagnose npu np6
command. The command syntax is:
get hardware npu np6 {dce <np6-id> | ipsec-stats | port-list | session-stats <np6-id> | sse-stats <np6-id> | synproxy-stats}
<np6-id>
identifies the NP6 processor. 0
is np6_0
, 1
is np6_1
and so on.
dce
show NP6 non-zero sub-engine drop counters for the selected NP6.
ipsec-stats
show overall NP6 IPsec offloading statistics.
port-list
show the mapping between the FortiGate's physical ports and its NP6 processors.
session-stats
show NP6 session offloading statistics counters for the selected NP6.
sse-stats
show hardware session statistics counters.
synproxy-stats
show overall NP6 synproxy statistics for TCP connections identified as being syn proxy DoS attacks.
diagnose npu np6
The diagnose npu np6 command displays extensive information about NP6 processors and the sessions that they are processing. Some of the information displayed can be useful for understanding the NP6 configuration, seeing how sessions are being processed and diagnosing problems. Some of the commands may only be useful for Fortinet software developers. The command syntax is:
diagnose npu np6 {options}
The following options are available:
fastpath {disable | enable} <np6-od>
enable or disable fastpath processing for a selected NP6.
dce
shows NP6 non-zero sub-engine drop counters for the selected NP6.
dce-all
show all subengine drop counters.
anomaly-drop
show non-zero L3/L4 anomaly check drop counters.
anomaly-drop-all
show all L3/L4 anomaly check drop counters.
hrx-drop
show non-zero host interface drop counters.
hrx-drop-all
show all host interface drop counters.
session-stats
show session offloading statistics counters.
session-stats-clear
clear sesssion offloading statistics counters.
sse-stats
show hardware session statistics counters.
sse-stats-clear
show hardware session statistics counters.
pdq
show packet buffer queue counters.
xgmac-stats
show XGMAC MIBs counters.
xgmac-stats-clear
clear XGMAC MIBS counters.
port-list
show port list.
ipsec-stats
show IPsec offloading statistics.
ipsec-stats-clear
clear IPsec offloading statistics.
eeprom-read
read NP6 EEPROM.
npu-feature
show NPU feature and status.
register
show NP6 registers.
fortilink
configure fortilink.
synproxy-stats
show synproxy statistics.
Using diagnose npu np6 npu-feature to verify enabled NP6 features
You can use the diagnose npu np6 npu-feature
command to see what NP6 features are enabled and which are not. The following command output shows the normal default NP6 configuration for most FortiGates. In this output all features are enabled except low latency features and GRE offloading. Low latency is only available on the FortiGate-3700D and DX models and GRE offloading will become available in a future FortiOS release. The following output is from a FortiGate-1500D
diagnose npu np6 npu-feature np_0 np_1 ------------------- --------- --------- Fastpath Enabled Enabled Low-latency-mode Disabled Disabled Low-latency-cap No No IPv4 firewall Yes Yes IPv6 firewall Yes Yes IPv4 IPSec Yes Yes IPv6 IPSec Yes Yes IPv4 tunnel Yes Yes IPv6 tunnel Yes Yes GRE tunnel No No IPv4 Multicast Yes Yes IPv6 Multicast Yes Yes CAPWAP Yes Yes
If you use the following command to disable fastpath for np_0:
config system np6
edit np6_0
set fastpath disable
end
The npu-feature
command output show this configuration change:
diagnose npu np6 npu-feature np_0 np_1 ------------------- --------- --------- Fastpath Disabled Enabled Low-latency-mode Disabled Disabled Low-latency-cap No No IPv4 firewall Yes Yes IPv6 firewall Yes Yes IPv4 IPSec Yes Yes IPv6 IPSec Yes Yes IPv4 tunnel Yes Yes IPv6 tunnel Yes Yes GRE tunnel No No IPv4 Multicast Yes Yes IPv6 Multicast Yes Yes CAPWAP Yes Yes
Using the diagnose sys session/session6 list command
The diagnose sys session list
and diagnose sys session6 list
commands list all of the current IPv4 or IPv6 sessions being processed by the FortiGate. For each session the command output includes an npu info
line that displays NPx offloading information for the session. If a session is not offloaded the command output includes a no_ofld_reason
line that indicates why the session was not offloaded.
Displaying NP6 offloading information for a session
The npu info
line of the diagnose sys session list
command includes information about the offloaded session that indicates the type of processor and whether its IPsec or regular traffic:
offload=1/1
for NP1(FA1) sessions.offload=2/2
for NP1(FA2) sessions.offload=3/3
for NP2 sessions.offload=4/4
for NP4 sessions.offload=5/5
for XLR sessions.offload=6/6
for Nplite/NP4lite sessions.offload=7/7
for XLP sessions.offload=8/8
for NP6 sessions.flag 0x81
means regular traffic.flag 0x82
means IPsec traffic.
Example offloaded IPv4 NP6 session
The following session output by the diagnose sys session list
command shows an offloaded session. The information in the npu info
line shows this is a regular session (flag=0x81/0x81
) that is offloaded by an NP6 processor (offload=8/8
).
diagnose sys session list
session info: proto=6 proto_state=01 duration=4599 expire=2753 timeout=3600 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=3 origin-shaper= reply-shaper= per_ip_shaper= ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255 state=log may_dirty npu none log-start statistic(bytes/packets/allow_err): org=1549/20/1 reply=1090/15/1 tuples=2 speed(Bps/kbps): 0/0 orgin->sink: org pre->post, reply pre->post dev=15->17/17->15
gwy=172.20.121.2/5.5.5.33 hook=post dir=org act=snat 5.5.5.33:60656->91.190.218.66:12350(172.20.121.135:60656) hook=pre dir=reply act=dnat 91.190.218.66:12350->172.20.121.135:60656(5.5.5.33:60656) pos/(before,after) 0/(0,0), 0/(0,0) src_mac=98:90:96:af:89:b9 misc=0 policy_id=1 auth_info=0 chk_client_info=0 vd=0 serial=00058b9c tos=ff/ff app_list=0 app=0 url_cat=0 dd_type=0 dd_mode=0 npu_state=0x000c00 npu info: flag=0x81/0x81, offload=8/8, ips_offload=0/0, epid=140/138, ipid=138/140, vlan=0x0000/0x0000 vlifid=138/140, vtag_in=0x0000/0x0000 in_npu=1/1, out_npu=1/1, fwd_en=0/0, qid=0/2
Example IPv4 session that is not offloaded
The following session, output by the diagnose sys session list command includes the no_ofld_reason
line that indicates that the session was not offloaded because it is a local-in session.
session info: proto=6 proto_state=01 duration=19 expire=3597 timeout=3600
flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=3 origin-shaper= reply-shaper= per_ip_shaper= ha_id=0 policy_dir=0 tunnel=/ vlan_cos=8/8 state=local may_dirty statistic(bytes/packets/allow_err): org=6338/15/1 reply=7129/12/1 tuples=2 speed(Bps/kbps): 680/5 orgin->sink: org pre->in, reply out->post dev=15->50/50->15 gwy=5.5.5.5/0.0.0.0 hook=pre dir=org act=noop 5.5.5.33:60567->5.5.5.5:443(0.0.0.0:0) hook=post dir=reply act=noop 5.5.5.5:443->5.5.5.33:60567(0.0.0.0:0) pos/(before,after) 0/(0,0), 0/(0,0) src_mac=98:90:96:af:89:b9 misc=0 policy_id=0 auth_info=0 chk_client_info=0 vd=0 serial=000645d8 tos=ff/ff app_list=0 app=0 url_cat=0 dd_type=0 dd_mode=0 npu_state=00000000 no_ofld_reason: local
Example IPv4 IPsec NP6 session
diagnose sys session list session info: proto=6 proto_state=01 duration=34 expire=3565 timeout=3600 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=3 origin-shaper= reply-shaper= per_ip_shaper= ha_id=0 policy_dir=0 tunnel=/p1-vdom2 state=re may_dirty npu statistic(bytes/packets/allow_err): org=112/2/1 reply=112/2/1 tuples=2 orgin->sink: org pre->post, reply pre->post dev=57->7/7->57 gwy=10.1.100.11/11.11.11.1 hook=pre dir=org act=noop 172.16.200.55:35254->10.1.100.11:80(0.0.0.0:0) hook=post dir=reply act=noop 10.1.100.11:80->172.16.200.55:35254(0.0.0.0:0) pos/(before,after) 0/(0,0), 0/(0,0) misc=0 policy_id=1 id_policy_id=0 auth_info=0 chk_client_info=0 vd=4 serial=00002d29 tos=ff/ff ips_view=0 app_list=0 app=0 dd_type=0 dd_mode=0 per_ip_bandwidth meter: addr=172.16.200.55, bps=260 npu_state=00000000 npu info: flag=0x81/0x82, offload=8/8, ips_offload=0/0, epid=1/3, ipid=3/1, vlan=32779/0
Example IPv6 NP6 session
diagnose sys session6 list session6 info: proto=6 proto_state=01 duration=2 expire=3597 timeout=3600 flags=00000000 sockport=0 sockflag=0 use=3 origin-shaper= reply-shaper= per_ip_shaper= ha_id=0 policy_dir=0 tunnel=/ state=may_dirty npu statistic(bytes/packets/allow_err): org=152/2/0 reply=152/2/0 tuples=2 speed(Bps/kbps): 0/0 orgin->sink: org pre->post, reply pre->post dev=13->14/14->13 hook=pre dir=org act=noop 2000:172:16:200::55:59145 ->2000:10:1:100::11:80(:::0) hook=post dir=reply act=noop 2000:10:1:100::11:80 ->2000:172:16:200::55:59145(:::0) misc=0 policy_id=1 auth_info=0 chk_client_info=0 vd=0 serial=0000027a npu_state=0x000c00 npu info: flag=0x81/0x81, offload=8/8, ips_offload=0/0, epid=137/136, ipid=136/137, vlan=0/0
Example NAT46 NP6 session
diagnose sys session list session info: proto=6 proto_state=01 duration=19 expire=3580 timeout=3600 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=3 origin-shaper= reply-shaper= per_ip_shaper= ha_id=0 policy_dir=0 tunnel=/ state=npu nlb statistic(bytes/packets/allow_err): org=112/2/1 reply=112/2/1 tuples=2 speed(Bps/kbps): 0/0 orgin->sink: org nataf->post, reply pre->org dev=52->14/14->52 gwy=0.0.0.0/10.1.100.1 hook=5 dir=org act=noop 10.1.100.1:21937->10.1.100.11:80(0.0.0.0:0) hook=6 dir=reply act=noop 10.1.100.11:80->10.1.100.1:21937(0.0.0.0:0) hook=pre dir=org act=noop 2000:172:16:200::55:33945 ->64:ff9b::a01:640b:80(:::0) hook=post dir=reply act=noop 64:ff9b::a01:640b:80 ->2000:172:16:200::55:33945(:::0) pos/(before,after) 0/(0,0), 0/(0,0) misc=0 policy_id=1 auth_info=0 chk_client_info=0 vd=0 serial=04051aae tos=ff/ff ips_view=0 app_list=0 app=0 dd_type=0 dd_mode=0 npu_state=00000000 npu info: flag=0x81/0x00, offload=0/8, ips_offload=0/0, epid=0/136, ipid=0/137, vlan=0/0
Example NAT64 NP6 session
diagnose sys session6 list session6 info: proto=6 proto_state=01 duration=36 expire=3563 timeout=3600 flags=00000000 sockport=0 sockflag=0 use=3 origin-shaper= reply-shaper= per_ip_shaper= ha_id=0 policy_dir=0 tunnel=/ state=may_dirty npu nlb statistic(bytes/packets/allow_err): org=72/1/0 reply=152/2/0 tuples=2 speed(Bps/kbps): 0/0 orgin->sink: org pre->org, reply nataf->post dev=13->14/14->13 hook=pre dir=org act=noop 2000:172:16:200::55:33945 ->64:ff9b::a01:640b:80(:::0) hook=post dir=reply act=noop 64:ff9b::a01:640b:80 ->2000:172:16:200::55:33945(:::0) hook=5 dir=org act=noop 10.1.100.1:21937->10.1.100.11:80(0.0.0.0:0) hook=6 dir=reply act=noop 10.1.100.11:80->10.1.100.1:21937(0.0.0.0:0) misc=0 policy_id=1 auth_info=0 chk_client_info=0 vd=0 serial=0000027b npu_state=00000000 npu info: flag=0x00/0x81, offload=8/0, ips_offload=0/0, epid=137/0, ipid=136/0, vlan=0/0
diagnose npu np6 session-stats <np6-id> (number of NP6 IPv4 and IPv6 sessions)
You can use the diagnose npu np6 portlist
command to list the NP6-ids and the interfaces that each NP6 is connected to. The <np6-id> of np6_0 is 0, the <np6-id> of np6_1 is 1 and so on. The diagnose npu np6 session-stats <np6-id>
command output incudes the following headings:
ins44
installed IPv4 sessionsins46
installed NAT46 sessionsdel4
deleted IPv4 and NAT46 sessionsins64
installed NAT64 sessionsins66
installed IPv6 sessionsdel6
deleted IPv6 and NAT64 sessionse
is the error counter for each session type
diagnose npu np6 session-stats 0 qid ins44 ins46 del4 ins64 ins66 del6 ins44_e ins46_e del4_e ins64_e ins66_e del6_e ---------------- ---------- ---------- ---------- ---------- ---------- 0 94 0 44 0 40 30 0 0 0 0 0 0 1 84 0 32 0 30 28 0 0 0 0 0 0 2 90 0 42 0 40 30 0 0 0 0 0 0 3 86 0 32 0 24 27 0 0 0 0 0 0 4 72 0 34 0 34 28 0 0 0 0 0 0 5 86 0 30 0 28 32 0 0 0 0 0 0 6 82 0 38 0 32 34 0 0 0 0 0 0 7 86 0 30 0 30 30 0 0 0 0 0 0 8 78 0 26 0 36 26 0 0 0 0 0 0 9 86 0 34 0 32 32 0 0 0 0 0 0 ---------------- ---------- ---------- ---------- ---------- ---------- Total 844 0 342 0 326 297 0 0 0 0 0 0 ---------------- ---------- ---------- ---------- ---------- ----------
diagnose npu np6 ipsec-stats (NP6 IPsec statistics)
The command output includes IPv4, IPv6, and NAT46 IPsec information:
- s
pi_ses4
is the IPv4 counter spi_ses6
is the IPv6 counter4to6_ses
is the NAT46 counter
diagnose npu np6 ipsec-stats vif_start_oid 03ed vif_end_oid 03fc IPsec Virtual interface stats: vif_get 00000000000 vif_get_expired 00000000000 vif_get_fail 00000000000 vif_get_invld 00000000000 vif_set 00000000000 vif_set_fail 00000000000 vif_clear 00000000000 vif_clear_fail 00000000000 np6_0: sa_install 00000000000 sa_ins_fail 00000000000 sa_remove 00000000000 sa_del_fail 00000000000 4to6_ses_ins 00000000000 4to6_ses_ins_fail 00000000000 4to6_ses_del 00000000000 4to6_ses_del_fail 00000000000 spi_ses6_ins 00000000000 spi_ses6_ins_fail 00000000000 spi_ses6_del 00000000000 spi_ses6_del_fail 00000000000 spi_ses4_ins 00000000000 spi_ses4_ins_fail 00000000000 spi_ses4_del 00000000000 spi_ses4_del_fail 00000000000 sa_map_alloc_fail 00000000000 vif_alloc_fail 00000000000 sa_ins_null_adapter 00000000000 sa_del_null_adapter 00000000000 del_sa_mismatch 00000000000 ib_chk_null_adpt 00000000000 ib_chk_null_sa 00000000000 ob_chk_null_adpt 00000000000 ob_chk_null_sa 00000000000 rx_vif_miss 00000000000 rx_sa_miss 00000000000 rx_mark_miss 00000000000 waiting_ib_sa 00000000000 sa_mismatch 00000000000 msg_miss 00000000000 np6_1: sa_install 00000000000 sa_ins_fail 00000000000 sa_remove 00000000000 sa_del_fail 00000000000 4to6_ses_ins 00000000000 4to6_ses_ins_fail 00000000000 4to6_ses_del 00000000000 4to6_ses_del_fail 00000000000 spi_ses6_ins 00000000000 spi_ses6_ins_fail 00000000000 spi_ses6_del 00000000000 spi_ses6_del_fail 00000000000 spi_ses4_ins 00000000000 spi_ses4_ins_fail 00000000000 spi_ses4_del 00000000000 spi_ses4_del_fail 00000000000 sa_map_alloc_fail 00000000000 vif_alloc_fail 00000000000 sa_ins_null_adapter 00000000000 sa_del_null_adapter 00000000000 del_sa_mismatch 00000000000 ib_chk_null_adpt 00000000000 ib_chk_null_sa 00000000000 ob_chk_null_adpt 00000000000 ob_chk_null_sa 00000000000 rx_vif_miss 00000000000 rx_sa_miss 00000000000 rx_mark_miss 00000000000 waiting_ib_sa 00000000000 sa_mismatch 00000000000 msg_miss 00000000000
diagnose sys mcast-session/session6 list (IPv4 and IPv6 multicast sessions)
This command lists all IPv4 or IPv6 multicast sessions. If a multicast session can be offloaded, the output includes the offloadable
tag. If the multicast path can be offloaded one of the paths in the command output is tagged as offloaded
.
The only way to determine the number of offloaded multicast sessions is to use the diagnose sys mcast-session/session6 list
command and count the number of sessions with the offload
tag.
diagnose sys mcast-session list
session info: id=3 vf=0 proto=17 172.16.200.55.51108->239.1.1.1.7878
used=2 path=11 duration=1 expire=178 indev=6 pkts=2 state:2cpu offloadable
npu-info in-pid=0 vifid=0 in-vtag=0 npuid=0 queue=0 tae=0
path: 2cpu policy=1, outdev=2
out-vtag=0
path: 2cpu policy=1, outdev=3
out-vtag=0
path: offloaded policy=1, outdev=7
out-vtag=0
path: policy=1, outdev=8
out-vtag=0
path: policy=1, outdev=9
out-vtag=0
path: policy=1, outdev=10
out-vtag=0
path: policy=1, outdev=11
out-vtag=0
path: policy=1, outdev=12
out-vtag=0
path: policy=1, outdev=13
out-vtag=0
path: 2cpu policy=1, outdev=64
out-vtag=0
path: 2cpu policy=1, outdev=68
out-vtag=0
diagnose npu np6 sse-stats <np6-id> (number of NP6 sessions and dropped sessions)
This command displays the total number of inserted, deleted and purged sessions processed by a selected NP6 processor. The number of dropped sessions of each type cam be determined by subtracting the number of successfull sessions from the total number of sessions. For example, the total number of dropped insert sessions is insert-total
- insert-success
.
diagnose npu np6 sse-stats 0 Counters SSE0 SSE1 Total --------------- --------------- --------------- --------------- active 0 0 0 insert-total 25 0 0 insert-success 25 0 0 delete-total 25 0 0 delete-success 25 0 0 purge-total 0 0 0 purge-success 0 0 0 search-total 40956 38049 79005 search-hit 37714 29867 67581 --------------- --------------- --------------- --------------- pht-size 8421376 8421376 oft-size 8355840 8355840 oftfree 8355839 8355839 PBA 3001
diagnose npu np6 dce <np6-id> (number of dropped NP6 packets)
This command displays the number of dropped packets for the selected NP6 processor.
IHP1_PKTCHK
number of dropped IP packetsIPSEC0_ENGINB0
number of dropped IPSecTPE_SHAPER
number of dropped traffic sharper packets
diag npu np6 dce 1 IHP1_PKTCHK :0000000000001833 [5b] IPSEC0_ENGINB0 :0000000000000003 [80] TPE_SHAPER :0000000000000552 [94]
diagnose hardware deviceinfo nic <interfac-name> (number of packets dropped by an interface)
This command displays a wide variety of statistics for FortiGate interfaces. The fields Host Rx dropped
and Host Tx dropped
display the number of received and trasmitted packets that have been dropped.
diagnose hardware deviceinfo nic port2
...
============ Counters =========== Rx Pkts :20482043 Rx Bytes :31047522516 Tx Pkts :19000495 Tx Bytes :1393316953 Host Rx Pkts :27324 Host Rx Bytes :1602755 Host Rx dropped :0 Host Tx Pkts :8741 Host Tx Bytes :5731300 Host Tx dropped :0 sw_rx_pkts :20482043 sw_rx_bytes :31047522516 sw_tx_pkts :19000495 sw_tx_bytes :1393316953 sw_np_rx_pkts :19000495 sw_np_rx_bytes :1469318933 sw_np_tx_pkts :20482042 sw_np_tx_bytes :31129450620
dianose npu np6 synproxy-stats (NP6 SYN-proxied sessions and unacknowledged SYNs)
This command display information about NP6 syn-proxy sessions including the total number proxied sessions. As well the Number of attacks, no ACK from client
shows the total number of unacknowledge SYNs.
diagnose npu np6 synproxy-stats DoS SYN-Proxy: Number of proxied TCP connections : 39277346 Number of working proxied TCP connections : 182860 Number of retired TCP connections : 39094486 Number of attacks, no ACK from client : 208