Hardware acceleration

This document describes the Security Processing Unit (SPU) hardware that Fortinet builds into FortiGate devices to accelerate traffic through FortiGate units. Three types of SPUs are described:

  • Content processors (CPs) that accelerate a wide range of security functions
  • Security processors (SPs) that accelerate specific security functions
  • Network processors (NPs and NPLites) that offload network traffic to specialized hardware that is optimized to provide high levels of network throughput.

This FortiOS Handbook chapter contains the following sections:

Hardware acceleration overview describes the capabilities of FortiGate content processors (CPs), security processors (SPs) and network processors (NPs). This chapter also describes how to determine the hardware acceleration components installed in your FortiGate unit and contains some configuration details and examples.

NP6 and NP6lite Acceleration describes the FortiGate NP6 network processor.

FortiGate NP6 architectures contains details about the network processing architectures of FortiGate units that contain NP6 processors.

FortiGate NP6lite architectures contains details about the network processing architectures of FortiGate units that contain NP6Lite processors.

NP4 and NP4Lite Acceleration describes the FortiGate NP4 network processor.

FortiGate NP4 architectures contains details about the network processing architectures of FortiGate units that contain NP4 processors.

Whats New in Hardware Acceleration for FortiOS 5.6

The following new hardware acceleration feature has been added to FortiOS 5.6.4.

Bandwidth control between the ISF and NP6 XAUI ports (437911)

In some cases, the Internal Switch Fabric (ISF) buffer size may be larger than the buffer size of an NP6 XAUI port that receives traffic from the ISF. If this happens, burst traffic from the ISF may exceed the capacity of an XAUI port and sessions may be dropped.

You can use the following command to configure bandwidth control between the ISF and XAUI ports. Enabling bandwidth control can smooth burst traffic and keep the XAUI ports from getting overwhelmed and dropping sessions.

Use the following command to enable bandwidth control:

config system npu

set sw-np-bandwidth {0G | 2G | 4G | 5G | 6G}

end

The default setting is 0G which means no bandwidth control. The other options limit the bandwidth to 2Gbps, 4Gbps and so on.

SNMP/CLI monitoring capabilities of NP6 session table and session drift (441532)

In some cases sessions processed by NP6 processors may fail to be deleted leading to a large number of idle sessions. This is called session drift. New monitoring capabilities have been added to allow you to use SNMP to be alerted when the number of idle sessions becomes high. The SNMP fields allow you to see which NP6 processor has the abnormal number of idle sessions and you can use a diagnose command to delete them.

You can use the following diagnose command to determine of drift is occurring:

diagnose npu np6 sse-drift-summary 
NPU   drv-drift 
----- --------- 
np6_0 0         
np6_1 0         
----- --------- 
Sum   0       
----- ---------

The command output shows a drift summary for all the NP6 processors in the system, and shows the total drift. Normally the sum is 0. The previous command output, from a FortiGate-1500D, shows that the 1500D's two NP6 processors are not experiencing any drift.

If the sum is not zero, then extra idle sessions may be accumulating. You can use the following command to delete those sessions:

diagnose npu np6 sse-purge-drift <np6_id> [<time>]

Where <np6_id> is the number (starting with NP6_0 with a np6_id of 0) of the NP6 processor for which to delete idle sessions. <time> is the age in seconds of the idle sessions to be deleted. All idle sessions this age and older are deleted. The default time is 300 seconds.

The diagnose npu np6 sse-stats <np6_id> command output also includes a drv-drift field that shows the total drift for one NP6 processor.

For SNMP monitoring, the following MIB fields have been added. These fields allow you to use SNMP to monitor more session table information for NP6 processors including drift for each NP6 processor.

FORTINET-FORTIGATE-MIB::fgNPUNumber.0 = INTEGER: 2

FORTINET-FORTIGATE-MIB::fgNPUName.0 = STRING: NP6

FORTINET-FORTIGATE-MIB::fgNPUDrvDriftSum.0 = INTEGER: 0

FORTINET-FORTIGATE-MIB::fgNPUIndex.0 = INTEGER: 0

FORTINET-FORTIGATE-MIB::fgNPUIndex.1 = INTEGER: 1

FORTINET-FORTIGATE-MIB::fgNPUSessionTblSize.0 = Gauge32: 33554432

FORTINET-FORTIGATE-MIB::fgNPUSessionTblSize.1 = Gauge32: 33554432

FORTINET-FORTIGATE-MIB::fgNPUSessionCount.0 = Gauge32: 0

FORTINET-FORTIGATE-MIB::fgNPUSessionCount.1 = Gauge32: 0

FORTINET-FORTIGATE-MIB::fgNPUDrvDrift.0 = INTEGER: 0

FORTINET-FORTIGATE-MIB::fgNPUDrvDrift.1 = INTEGER: 0

NP6 Host Protection Engine (HPE) adds protection for DDoS attacks (363398)

NP6 processors now include HPE functionality that can protect networks from DoS attacks by categorizing incoming packets based on packet rate and processing cost and applying packet shaping to packets that can cause DoS attacks. You can use the options in the following CLI command to limit the number packets per second received for various packet types by each NP6 processor. This rate limiting is applied very efficiently because it is done in hardware by the NP6 processor.

HPE protection is disable by default. You can use the following command to enable HPE protection for the NP6_0 NP6 processor:

config system np6

edit np6_0

config hpe

set enable-shaper enable

end

HPE can be enabled and configured separately for each NP6 processor. When enabled, the default configuration is designed to provide basic DoS protection. You can use the following command to adjust the HPE settings in real time if you network is experiencing an attack. For example, the following command allows you to configure HPE settings for np6_0.

config system np6

edit np6_0

config hpe

set tcpsyn-max

set tcp-max

set udp-max

set icmp-max

set sctp-max

set esp-max

set ip-frag-max

set ip-others-max

set arp-max

set l2-others-max

set enable-shaper {disable | enable}

end

Where:

tcpsyn-max applies shaping based on the maximum number of TCP SYN packets received per second. The range is 10,000 to 4,000,000,000 pps. The default limits the number of packets per second to 5,000,000 pps.

tcp-max applies shaping based on the maximum number of TCP packets received. The range is 10,000 to 4,000,000,000 pps. The default is 5,000,000 pps.

udp-max applies shaping based on the maximum number of UDP packets received. The range is 10,000 to 4,000,000,000 pps. The default is 5,000,000 pps.

icmp-max applies shaping based on the maximum number of ICMP packets received. The range is 10,000 to 4,000,000,000 pps. The default is 1,000,000 pps.

sctp-max applies shaping based on the maximum number of SCTP packets received. The range is 10,000 to 4,000,000,000 pps. The default is 100,000 pps.

esp-max NPU HPE shaping based on the maximum number of IPsec ESP packets received. The range is 10,000 to 4,000,000,000 pps. The default is 100,000 pps.

ip-frag-max applies shaping based on the maximum number of fragmented IP packets received. The range is 10,000 to 4,000,000,000 pps. The default is 100,000 pps.

ip-others-max applies shaping based on the maximum number of other IP packets received. The range is 10,000 to 4,000,000,000 pps. The default is 100,000 pps.

arp-max applies shaping based on the maximum number of ARP packets received. The range is 10,000 to 4,000,000,000 pps. The default is 1,000,000 pps.

l2-others-max applies shaping based on the maximum number of other layer 2 packets received. The range is 10,000 to 4,000,000,000 pps. The default is 100,000 pps.

 

Improved visibility of SPU and nTurbo hardware acceleration (389711)

All hardware acceleration hardware has been renamed Security Processing Units (SPUs). This includes NPx and CPx processors.

SPU and nTurbo data is now visible in a number of places on the GUI. For example, the Active Sessions column pop-up in the firewall policy list and the Sessions dashboard widget.

The following example shows the Sessions dashboard widget tracking SPU and nTurbo sessions. Current sessions shows the total number of sessions, SPU shows the percentage of these sessions that are SPU sessions and Nturbo shows the percentage that are nTurbo sessions.

You can also add SPU filters to many FortiView pages.

NP4Lite option to disable offloading ICMP traffic in IPsec tunnels (383939)

In some cases ICMP traffic in IPsec VPN tunnels may be dropped by the NP4Lite processor due to a bug with the NP4Lite firmware. You can use the following command to avoid this problem by preventing the NP4Lite processor from offloading ICMP sessions in IPsec VPN tunnels. This command is only available on FortiGate models with NP4Lite processors, such as the FortiGate/FortiWiFi-60D.

config system npu

set process-icmp-by-host {disable | enable}

end

The option is disabled by default an all ICMP traffic in IPsec VPN tunnels is offloaded where possible. If you are noticing that ICMP packets in IPsec VPN tunnels are being dropped you can disable this option and have all ICMP traffic processed by the CPU and not offloaded to the NP4Lite.

NP6 IPv4 invalid checksum anomaly checking (387675)

The following new options have been added to NP6 processors to check for IPv4 checksum errors in IPv4, TCP, UDP, and ICMP packets.

config system np6

edit {np6_0 | np6_1| ...}

config fp-anomaly

set ipv4-csum-err {drop | trap-to-host}

set tcp-csum-err {drop | trap-to-host}

set udp-csum-err {drop | trap-to-host}

set icmp-csum-err {drop | trap-to-host}

end

You can use the new options to either drop packets with checksum errors (the default) or send them to the CPU for processing. Normally you would want to drop these packets.

As well, note that when configuring NP6 anomaly protection, the separate options config fp-anomaly-v4 and config fp-anomaly-v6 have been combined under config fp-anomaly.

Stripping clear text padding and IPsec session ESP padding (416950)

In some situations, when clear text or ESP packets in IPsec sessions may have large amounts of layer 2 padding, the NP6 IPsec engine may not be able to process them and the session may be blocked.

If you notice dropped IPsec sessions, you could try using the following CLI options to cause the NP6 processor to strip clear text padding and ESP padding before sending the packets to the IPsec engine. With padding stripped, the session can be processed normally by the IPsec engine.

Use the following command to strip ESP padding:

config system npu

set strip-esp-padding enable

set strip-clear-text-padding enable

end

Stripping clear text and ESP padding are both disabled by default.

 

 

Optionally disable NP6 offloading of traffic passing between 10Gbps and 1Gbps interfaces (392436)

Due to NP6 internal packet buffer limitations, some offloaded packets received at a 10Gbps interface and destined for a 1Gbps interface can be dropped, reducing performance for TCP and IP tunnel traffic. If you experience this performance reduction, you can use the following command to disable offloading sessions passing from 10Gbps interfaces to 1Gbps interfaces:

config system npu

set host-shortcut-mode host-shortcut

end

Select host-shortcut to stop offloading TCP and IP tunnel packets passing from 10Gbps interfaces to 1Gbps interfaces. TCP and IP tunnel packets passing from 1Gbps interfaces to 10Gbps interfaces are still offloaded as normal.

If host-shortcut is set to the default bi-directional setting, packets in both directions are offloaded.