Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Markus_M
Staff
Staff

Created on ‎09-02-2019 07:29 AM Edited on ‎09-17-2023 08:28 PM By Community Manager

Article Id 196337

Technical Tip: Interface not supported by NPU Offload

Description


This article explains limitations of the NP processor.

Certain interfaces are unable to support NP offloading.

These limits apply to virtual/software interfaces that are presented here below.

 

Scope

 

FortiGate

Loopback interface.

A loopback interface is a logical interface that is always up (no physical link dependency).
It is widely used to form a BGP setup with neighbors and is used as an IPsec VPN tunnel interface.

Since the interface is a software interface, it will not permit offloading to network processors.

Example of Loopback interface.

 

config system interface
    edit "Lo1"
        set vdom "root"
        set ip 192.168.1.33 255.255.255.255
        set allowaccess ping
        set type loopback
        set snmp-index 50
    next
end

 

Note:

For devices with NP7, running on FortiOS 7.0.6 and 7.2.1 and above, hardware acceleration is supported on Loopback interfaces.

Refer to the below KB article:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Information-about-IPsec-on-loopback-interf...

 

 

Software switch.

Software switches are supported in certain models of FortiGate.
All of the interfaces in this virtual switch act like interfaces in a hardware switch.
In that, it has the same IP address and can be connected to the same network.

The FortiGate CPU is used to maintain the mac-port table, hence traffic would not be handled by network processors

Example of software switch interface.

 
 

config system switch-interface
    edit <interface>
        set vdom <vdom>
        set member <interface_list>
        set type switch
    next
end

 

PPPoE Interface.

PPPoE is commonly used to connect to the provider edge.
It is handled by a PPP software process and connections are terminated in virtual interfaces where traffic is not able to be handled by hardware acceleration.

Example of PPPoE interface.

 

config system interface
    edit "wan1"
        set vdom "root"
        set mode pppoe
        set allowaccess ping
        set type physical
        set scan-botnet-connections block
        set role wan
        set snmp-index 1
        config ipv6
            set ip6-mode dhcp
        end
        set username "user@abc.com"
         set dns-server-override disable
    next


Solution


Use physical or VLAN interfaces that bind to fixed ports in order for traffic offloading to NP (network processors).

Related link concerning NP6 and NP6 lite acceleration:
https://help.fortinet.com/fos60hlp/60/Content/FortiOS/fortigate-hardware-acceleration/NP6.htm?Highli...

Labels:
12426
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.