Chapter 16 – Optimal Path Processing – Life of a Packet

Chapter 16 – Optimal Path Processing – Life of a Packet



Life of a Packet

This FortiOS Handbook chapter contains the following sections:

  • Optimal Path Processing introduces the concept of Optimal Path Processing.
  • Packet flow ingress and egress: FortiGates without network processor offloading describes the overall packet flow through a FortiGate with no network offloading (NP) hardware.
  • Packet flow: FortiGates with NP6 processors first packet of a new session similar to the previous section, the first packet in a new session that can be offloaded is processed in much the same way as on a FortiGate with no network processors.
  • Packet flow: FortiGates with NP6 processors – packets in an offloaded session describes the much simpler packet flow for a packet from an offloaded session.
  • UTM/NGFW packet flow: flow-based inspection describes how single pass UTM/NGFW processing occurs in a flow-based FortiGate or VDOM.
  • UTM/NGFW packet flow: proxy-based inspection describes how UTM/NGFW processing occurs in a proxy-based¬†FortiGate or VDOM.
  • Comparison of inspection types shows how different security functions map to different inspection types.



Optimal Path Processing

Optimal Path Processing (OPP) uses the firewall policy configuration to determine the optimal path for processing a packet. Most FortiOS features are applied through Firewall policies and the features applied determine the path a packet takes. Using firewall policies you can impose UTM/NGFW processing on content traffic that may contain security threats (such as HTTP, email and so on). Many UTM/NGFW processes are offloaded and accelerated by CP8 or CP9 processors. Using the policy configuration you can apply a range of protection from basic IPS attack protection that looks for network-based attacks to full scale advanced threat management (ATM), application control, antivirus, DLP and so on.

You can also create policies for traffic that does not pose security threats and bypass UTM/NGFW checking. This control allows you to improve network performance without compromising security. On FortiGates with network processors (for example the NP6) much of the traffic that does not require UTM/NGFW processing can be offloaded to the NP6 processors freeing up FortiGate processing resources for other higher risk traffic.

In addition, many FortiGate models support NTurbo to offload flow-based UTM/NGFW sessions to network processors. Flow-based sessions can also be accelerated using IPSA technology to enhance offloading of pattern matching to CP8 and CP9 content processors.

This chapter begins with an overview of packet flow ingress and egress and includes a section that shows how NP6 offloading optimizes packet flow for packets that don’t require UTM/NGFW processing and for packets that use NTurbo to offload flow-based UTM/NGFW processing.

Next this chapter breaks down how packets pass through UTM/NGFW processing both for a single-pass flow- based UTM/NGFW processing and a proxy-based UTM/NGFW processing.

This entry was posted in FortiOS 5.4 Handbook and tagged on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.