Description
This article describes the Nturbo feature which is a Fortinet’s hardware ASIC that improves the overall IPS performance. The particular component is installed between the NP6 and the IPS engines. It uses load balance algorithms to dynamically distribute the load to the available IPS engines. All devices which have NP6 or SOC3-based processors can benefit from this particular feature.
Solution
Feature Verification.
- Nturbo can be enabled or even disabled globally on the box with the below commands:
config ips global
set np-accel-mode [none | basic] <----- None: Disables Nturbo, Basic: Enables Nturbo.
If the np-accel-mode option is not available on the firewall, it means that the FortiGate model does not support NTurbo.
-
Furthermore, Nturbo can be disabled on a per-policy basis with the below commands:
config firewall policy
edit <X>
set np-accelation enable/disable
To observe more advanced Nturbo statistics, issue the command:
diagnose test application ipsmonitor 14
Nturbo Limitations.
- Device Identification:
Interfaces that are involved in the firewall policies must have device identification disabled.
- Session helpers:
All the sessions that are being handled by session helpers cannot be offloaded to Nturbo.
- Proxy-based features:
Proxy-based applications such as proxy AV should not be enabled on the firewall policies.
As of 6.2.0 also, firewall policies involved in traffic should be configured in flow-based inspection mode.
- Protocols:
Protocols other than TCP, and UDP cannot be offloaded to Nturbo.
