FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
krajaa
Staff
Staff
Article Id 189868
Description
This article explains NTurbo offloads flow-based processing.

Solution
NTurbo offloads firewall sessions that include flow-based security profiles to NP6 network processors.
Without NTurbo, or with NTurbo disabled, all firewall sessions that include flow-based security profiles are processed by the FortiGate CPU.
NTurbo
also offloads sessions that have interface or DoS policies.

NTurbo can only offload firewall sessions containing flow-based security profiles if the session could otherwise have been offloaded except for the presence of the flow-based security profiles.
If something
else prevents the session from being offloaded, NTurbo will not offload that session.

Firewall sessions that include proxy-based security profiles are never offloaded to network processors and are always processed by the FortiGate CPU.
NTurbo creates a special data path to redirect traffic from the ingress interface to IPS, and from IPS to the egress interface.
NTurbo allows firewall operations to be
offloaded along this path, and still allows IPS to behave as a stage in the processing pipeline, reducing the workload on the FortiGate CPU and improving overall throughput.

NTurbo sessions still offload pattern matching and other processes to CP processors, just like normal flow-based sessions.
NTurbo can offload sessions when DoS policies (config firewall DoS-policy or DoS-policy6), interfacepolicies (config firewall interface-policy orinterface-policy6) or access control list policies (config firewall acl or acl6) have been added to the ingress or egress interfaces that receive or send the sessions.
If NTurbo is supported by the FortiGate, use the following command to configure it:
# config ips global
    set np-accel-mode {basic | none}
end
'basic' enables NTurbo and is the default setting for FortiGate models that support NTurbo.
'none' disables NTurbo. If the np-accel-mode option is not available,
the FortiGate does not support NTurbo.
There are some special cases (listed below) where sessions are not offloaded by NTurbo, even when NTurbo is explicitly enabled.
In these cases, the
sessions are handled by the FortiGate CPU.

- NP acceleration is disabled. For example, auto-asic-offload is disabled in the firewall policy configuration.
- The firewall policy includes proxy-based security profiles.
- FTP sessions can not be offloaded to NP processors because FTP sessions use the FTP session helper.
- Tunneling is enabled. Any traffic to or from a tunneled interface (IPinIP, SSL VPN, GRE, CAPWAP, etc.) cannot be offloaded by NTurbo.

Contributors