FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Description This article explains IPSA offloads flow-based advanced pattern matching.
Solution IPSA offloads advanced or enhanced pattern matching operations required for flow-based content processing to CP8 and CP9 Content Processors. IPSA offloads enhanced pattern matching for NTurbo firewall sessions and firewall sessions that are not offloaded to NP processors. When IPSA is turned on, flow-based pattern databases are compiled and downloaded to the content processors from the IPS engine and IPS database. Flow-based pattern matching requests are redirected to the CP hardware reducing the load on the FortiGate CPU and accelerating pattern matching.
IF IPSA is supported on the FortiGate , use the following command to configure it:
# config ips global set cp-accel-mode {advanced | basic | none} end
'basic' offloads basic pattern matching. 'advanced' offloads more types of pattern matching resulting in higher throughput than basic mode. 'advanced' is only available on FortiGate models with two or more CP8s or one or more CP9s. If the cp-accel-mode option is not available, then the FortiGate does not support IPSA.
On FortiGates with one CP8, the default cp-accel-mode is basic. Setting the mode to advanced does not change the types of pattern matching that are offloaded.
On FortiGates with two or more CP8s or one or more CP9s the default cp-accel-mode is advanced. Set the mode to basic to offload fewer types of pattern matching.
