Hardware acceleration

This chapter describes new authentication features added to FortiOS 5.4.

Offload Diffie-Hellman processing for 3072- and 4096-bit Diffie-Hellman values (308040)

Server load balancing supports 3072 and 4096 bit DH values. The command syntax is:

config firewall vip

edit server-name

set type server-load-balance

set server-type https

set ssl-dh-bits {768 | 1024 | 1536 | 2048 | 3072 | 4096}

 

FortiGate models with CP9 processors support 3072 and 4096 DH bit sizes in hardware. All FortiGate models up to and including those with CP8 processors only support offloading DH bit sizes up to 2048 so any sizes larger than that are done in software and thus are relatively resource intensive.

NP6 diagnose commands and get command changes (288738)

You can use the get hardware npu np6 command to display information about the NP6 processors in your FortiGate and the sessions they are processing. This command contains a subset of the options available from the diagnose npu np6 command. The command syntax is:

get hardware npu np6 {dce <np6-id> | ipsec-stats | port-list | session-stats <np6-id> | sse-stats <np6-id> | synproxy-stats}

 

<np6-id> identifies the NP6 processor. 0 is np6_0, 1 is np6_1 and so on.

dce show NP6 non-zero sub-engine drop counters for the selected NP6.

ipsec-stats show overall NP6 IPsec offloading statistics.

port-list show the mapping between the FortiGate's physical ports and its NP6 processors.

session-stats show NP6 session offloading statistics counters for the selected NP6.

sse-stats show hardware session statistics counters.

synproxy-stats show overall NP6 synproxy statistics for TCP connections identified as being syn proxy DoS attacks.

NP6 session accounting enabled when traffic logging is enabled in a firewall policy (268426)

By default, on a FortiGate unit with NP6 processors, when you enable traffic logging in a firewall policy this also enables NP6 per-session accounting. If you disable traffic logging this also disables NP6 per-session accounting. This behavior can be changed using the following command:

config system np6

edit np6_0

set per-session-accounting {disable | all-enable | enable-by-log}

end

By default, per-session-accounting is set to enable-by-log, which results in per-session accounting being turned on when you enable traffic logging in a policy. You can disable per-session accounting or set all-enable to enable per-session accounting whether or not traffic logging is enabled. Note that this configuration is set separately for each NP6 processor.

When offloaded sessions appear on the FortiView All Sessions console they include an icon identifying them as NP sessions:

You can hover over the NP icon to see some information about the offloaded sessions.

Determining why a session is not offloaded (245447)

You can use the diagnose sys session list command to get information about why a session has not been offloaded to an NP4 or NP6 processor.

If a session has not been offloaded the session information displayed by the command includes no_ofld_reason followed by information to help you determine the cause. To take a simple example, an HTTPS session connecting to the GUI could have a field similar to no_ofld_reason: local. This means the session is a local session that is not offloaded.

The no_ofld_reason field only appears if the session is not offloaded and includes information to help determine why the session is not offloaded. For example,

no_ofld_reason: redir-to-av redir-to-ips non-npu-intf

Indicates that the session is not offloaded because it was redirected to virus scanning (redir-to-av), IPS (redir-to-ips), and so on.

IPsec pass-through traffic is now offloaded to NP6 processors (253221)

IPsec traffic that passes through a FortiGate without being unencrypted is now be offloaded to NP6 processors.

Disabling offloading IPsec Diffie-Hellman key exchange (269555)

You can use the following command to disable using ASIC offloading to accelerate IPsec Diffie-Hellman key exchange for IPsec ESP traffic. By default hardware offloading is used. For debugging purposes or other reasons you may want this function to be processed by software.

Use the following command to disable using ASIC offloading for IPsec Diffie Hellman key exchange:

config system global

set ipsec-asic-offload disable

end

FortiGate-3700DX TP2 processors support GTP offloading (294212)

The FortiGate-3700DX contains two TP2 processors that provide GTP offloading. GTPu traffic is forwarded from NP6 processors to TP2 processors. The TP2 processors filter the encapsulated traffic and send the approved GTPu traffic back to the NP6.

Preventing packet ordering problems with NP4 and NP6 FortiGates under heavy load (365497)

In some cases when FortiGate units with NP4 or NP6 processors are under heavy load the packets used in the TCP 3-way handshake of some sessions may be transmitted by the FortiGate in the wrong order resulting in the TCP sessions failing.

If you notice TCP sessions failing when a FortiGate with NP4 or NP6 processors is very busy you can enable delay-tcp-npu-session in the firewall policy receiving the traffic. This option resolves the problem by delaying the session to make sure that there is time for all of the handshake packets to reach the destination before the session begins transmitting data.

config firewall policy

set delay-tcp-npu-session enable

end