Chapter 12 – Hardware Acceleration

Enabling strict protocol header checking disables all hardware acceleration

You can use the following command to cause the FortiGate to apply strict header checking to verify that a packet is part of a session that should be processed. Strict header checking includes verifying the layer-4 protocol header length, the IP header length, the IP version, the IP checksum, IP options, and verifying that ESP packets have the correct sequence number, SPI, and data length.If the packet fails header checking it is dropped by the FortiGate unit.

 

config system global

check-protocol-header strict end.

Enabling strict header checking disables all hardware acceleration. This includes NP, SP.and CP processing.

 

 

sFlow and NetFlow and hardware acceleration

NP6 offloading is supported when you configure NetFlow for interfaces connected to NP6 processors. Configuring sFlow on any interface disables all NP4 and NP6 offloading for all traffic on that interface. As well, configuring NetFlow on any interface disables NP4 offloading for all traffic on that interface.

 

Checking that traffic is offloaded by NP processors

A number of diagnose commands can be used to verify that traffic is being offloaded.

 

Using the packet sniffer

Use the packet sniffer to verify that traffic is offloaded. Offloaded traffic is not picked up by the packet sniffer so if you are sending traffic through the FortiGate unit and it is not showing up on the packet sniffer you can conclude that it is offloaded.

diag sniffer packet port1 <option>

 

Checking the firewall session offload tag

Use the diagnose sys session list command to display sessions. If the output for a session includes the npu info field you should see information about session being offloaded. If the output doesn’t contain an npu info field then the session has not been offloaded.

 

diagnose sys session list

session info: proto=6 proto_state=01 duration=34 expire=3565 timeout=3600 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=3

origin-shaper= reply-shaper= per_ip_shaper=

ha_id=0 policy_dir=0 tunnel=/

state=may_dirty npu

statistic(bytes/packets/allow_err): org=295/3/1 reply=60/1/1 tuples=2

orgin->sink: org pre->post, reply pre->post dev=48->6/6->48 gwy=10.1.100.11/11.11.11.1 hook=pre dir=org act=noop 172.16.200.55:56453->10.1.100.11:80(0.0.0.0:0)

hook=post dir=reply act=noop 10.1.100.11:80->172.16.200.55:56453(0.0.0.0:0)

pos/(before,after) 0/(0,0), 0/(0,0)

misc=0 policy_id=1 id_policy_id=0 auth_info=0 chk_client_info=0 vd=4 serial=0000091c tos=ff/ff ips_view=0 app_list=0 app=0

dd_type=0 dd_mode=0

per_ip_bandwidth meter: addr=172.16.200.55, bps=393 npu_state=00000000

npu info: flag=0x81/0x81, offload=4/4, ips_offload=0/0, epid=1/23, ipid=23/1, vlan=32779/0

 

Verifying IPsec VPN traffic offloading

The following commands can be used to verify IPsec VPN traffic offloading to NP processors.

diagnose vpn ipsec status

NPl/NP2/NP4_0/sp_0_0:

null: 0 0 des: 0 0

3des: 4075 4074

aes: 0 0 aria: 0 0 seed: 0 0 null: 0 0

md5: 4075 4074 sha1: 0 0 sha256: 0 0 sha384: 0 0 sha512: 0 0

diagnose vpn tunnel list

list all ipsec tunnel in vd 3

——————————————————

name=p1-vdom1 ver=1 serial=5 11.11.11.1:0->11.11.11.2:0 lgwy=static tun=tunnel mode=auto bound_if=47

proxyid_num=1 child_num=0 refcnt=8 ilast=2 olast=2 stat: rxp=3076 txp=1667 rxb=4299623276 txb=66323

dpd: mode=active on=1 idle=5000ms retry=3 count=0 seqno=20 natt: mode=none draft=0 interval=0 remote_port=0

proxyid=p2-vdom1 proto=0 sa=1 ref=2 auto_negotiate=0 serial=1 src: 0:0.0.0.0/0.0.0.0:0

dst: 0:0.0.0.0/0.0.0.0:0

SA: ref=6 options=0000000e type=00 soft=0 mtu=1436 expire=1736 replaywin=2048 seqno=680 life: type=01 bytes=0/0 timeout=1748/1800

dec: spi=ae01010c esp=3des key=24 18e021bcace225347459189f292fbc2e4677563b07498a07 ah=md5 key=16 b4f44368741632b4e33e5f5b794253d3

enc: spi=ae01010d esp=3des key=24 42c94a8a2f72a44f9a3777f8e6aa3b24160b8af15f54a573 ah=md5 key=16 6214155f76b63a93345dcc9ec02d6415

dec:pkts/bytes=3073/4299621477, enc:pkts/bytes=1667/66375

npu_flag=03 npu_rgwy=11.11.11.2 npu_lgwy=11.11.11.1 npu_selid=4

 

diagnose sys session list

session info: proto=6 proto_state=01 duration=34 expire=3565 timeout=3600 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=3

origin-shaper= reply-shaper= per_ip_shaper=

ha_id=0 policy_dir=0 tunnel=/p1-vdom2 state=re may_dirty npu

statistic(bytes/packets/allow_err): org=112/2/1 reply=112/2/1 tuples=2

orgin->sink: org pre->post, reply pre->post dev=57->7/7->57 gwy=10.1.100.11/11.11.11.1 hook=pre dir=org act=noop 172.16.200.55:35254->10.1.100.11:80(0.0.0.0:0)

hook=post dir=reply act=noop 10.1.100.11:80->172.16.200.55:35254(0.0.0.0:0)

pos/(before,after) 0/(0,0), 0/(0,0)

misc=0 policy_id=1 id_policy_id=0 auth_info=0 chk_client_info=0 vd=4 serial=00002d29 tos=ff/ff ips_view=0 app_list=0 app=0

dd_type=0 dd_mode=0

per_ip_bandwidth meter: addr=172.16.200.55, bps=260 npu_state=00000000

npu info: flag=0x81/0x82, offload=7/7, ips_offload=0/0, epid=1/3, ipid=3/1, vlan=32779/0

 


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.