Chapter 16 – Optimal Path Processing – Life of a Packet
Life of a Packet
This FortiOS Handbook chapter contains the following sections:
- Optimal Path Processing introduces the concept of Optimal Path Processing.
- Packet flow ingress and egress: FortiGates without network processor offloading describes the overall packet flow through a FortiGate with no network offloading (NP) hardware.
- Packet flow: FortiGates with NP6 processors first packet of a new session similar to the previous section, the first packet in a new session that can be offloaded is processed in much the same way as on a FortiGate with no network processors.
- Packet flow: FortiGates with NP6 processors – packets in an offloaded session describes the much simpler packet flow for a packet from an offloaded session.
- UTM/NGFW packet flow: flow-based inspection describes how single pass UTM/NGFW processing occurs in a flow-based FortiGate or VDOM.
- UTM/NGFW packet flow: proxy-based inspection describes how UTM/NGFW processing occurs in a proxy-based FortiGate or VDOM.
- Comparison of inspection types shows how different security functions map to different inspection types.
Optimal Path Processing
Optimal Path Processing (OPP) uses the firewall policy configuration to determine the optimal path for processing a packet. Most FortiOS features are applied through Firewall policies and the features applied determine the path a packet takes. Using firewall policies you can impose UTM/NGFW processing on content traffic that may contain security threats (such as HTTP, email and so on). Many UTM/NGFW processes are offloaded and accelerated by CP8 or CP9 processors. Using the policy configuration you can apply a range of protection from basic IPS attack protection that looks for network-based attacks to full scale advanced threat management (ATM), application control, antivirus, DLP and so on.
You can also create policies for traffic that does not pose security threats and bypass UTM/NGFW checking. This control allows you to improve network performance without compromising security. On FortiGates with network processors (for example the NP6) much of the traffic that does not require UTM/NGFW processing can be offloaded to the NP6 processors freeing up FortiGate processing resources for other higher risk traffic.
In addition, many FortiGate models support NTurbo to offload flow-based UTM/NGFW sessions to network processors. Flow-based sessions can also be accelerated using IPSA technology to enhance offloading of pattern matching to CP8 and CP9 content processors.
This chapter begins with an overview of packet flow ingress and egress and includes a section that shows how NP6 offloading optimizes packet flow for packets that don’t require UTM/NGFW processing and for packets that use NTurbo to offload flow-based UTM/NGFW processing.
Next this chapter breaks down how packets pass through UTM/NGFW processing both for a single-pass flow- based UTM/NGFW processing and a proxy-based UTM/NGFW processing.
Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!