Author Archives: Mike

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Setting switch-mode mapping on the ADM-XD4

Leave a reply

Setting switch-mode mapping on the ADM-XD4

The ADM-XD4 SP has four 10Gb/s ports, but the NP4 processor it contains has only two 10Gb/s ports. The external ports you use are important to optimize the SP for your application.

 

ADMXD4 mapping mode

Ports 1 and 3 share one NP4 processor and ports 2 and 4 share the other. Performance ports sharing the same NP4 processor is far better than when forcing network data to move between NP4 processors by using one port from each, for example ports 1 and 2 or ports 3 and 4.

 

FortiGate NP4 architectures

Leave a reply

FortiGate NP4 architectures

This chapter shows the NP4 architecture for the all FortiGate units and modules that include NP4 processors.

 

FortiGate600C

The FortiGate-600C features one NP4 processor. All the ports are connected to this NP4 over the Integrated Switch Fabric. Port1 and port2 are dual failopen redundant RJ-45 ports. Port3-port22 are RJ-45 ethernet ports, and there are four 1Gb SFP interface ports duplicating the port19-port22 connections.

 

FortiGate800C

The FortiGate-800C features one NP4 processor. All the ports are connected to this NP4. Port1 and port2 are dual failopen redundant RJ-45 ports. Port3-port22 are RJ-45 ethernet ports, and there are eight 1Gb SFP interface ports duplicating the port15-18 and port19-port22 connections. There are also two 10Gb SFP+ ports, port23 and port24.

 

FortiGate1000C

The FortiGate-1000C features one NP4 processor. All the ports are connected to this NP4. Port1 and port2 are dual failopen redundant RJ-45 ports. Port3-port22 are RJ-45 ethernet ports, and there are eight 1Gb SFP interface ports duplicating the port15-18 and port19-port22 connections. There are also two 10Gb SFP+ ports, port23 and port24.

 

FortiGate1240B

The FortiGate-1240B features two NP4 processors:

  • Port1 to port24 are 1Gb SFP interfaces connected to one NP4 processor.
  • Port25 to port38 are RJ-45 ethernet ports, connected to the other NP4 processor.
  • Port39 and port40 are not connected to an NP4 processor.

 

Integrated Switch Fabric

FortiASIC NP4

FortiASIC NP4

System Bus

CP6

CPU

 

FortiGate3040B

The FortiGate-3040B features two NP4 processors:

  • The 10Gb interfaces, port1, port2, port3, port4, and the 1Gb interfaces, port9, port10, port11, port12, port13, share connections to one NP4 processor.
  • The 10Gb interfaces, port5, port6, port7, port8, and the 1Gb interfaces, port14, port15, port16, port17, port18, share connections to the other NP4 processor.

 

FortiGate  3040B

STATUS ALARM HA POWER

NP4-1      NP4-2

CONSOLE

10G SFP+

1                    3                    5                       7

2                    4                    6                       8

9                     11                   13

10                   12                   14

15                  17

16                  18

FSM1

FSM2

SHUT DO WN

FSM3

FSM4

Integrated Switch Fabric

FortiASIC NP4

FortiASIC NP4

System Bus

CP7

CPU

Pages: 1 2 3 4 5 6

Offloading NP4 anomaly detection

Leave a reply

Offloading NP4 anomaly detection

Network interfaces associated with a port attached to an NP4 processor can be configured to offload anomaly checking to the NP4 processor. This anomaly checking happens before other offloading and separately from DoS policy anomaly checking. Using the following command, each FortiGate interface can have a different anomaly checking configuration even if they are connected to the same NP4 processor.

The options available for this command apply anomaly checking for NP4 sessions in the same way as the command descrbed in Configuring individual NP6 processors on page 1215 applies anomaly checking for for NP6 sessions.

 

config system interface edit <port-name>

set fp-anomaly <anomalies>

end

where <anomalies> can be one, more than one or all of the following:

 

Anomaly                  Description

drop_icmp_frag         Drop ICMP fragments to pass.

drop_icmpland           Drop ICMP Land.

drop_ipland                Drop IP Land.

drop_iplsrr                  Drop IP with Loose Source Record Route option.

drop_iprr                    Drop IP with Record Route option.

drop_ipsecurity          Drop IP with Security option.

drop_ipssrr                 Drop IP with Strict Source Record Route option.

drop_ipstream            Drop IP with Stream option.

drop_iptimestamp     Drop IP with Timestamp option.

 

Anomaly                  Description

drop_ipunknown_

option

Drop IP with malformed option.
drop_ipunknown_

prot

drop_tcp_fin_

noack

Drop IP with Unknown protocol.

Drop TCP FIN with no ACT flag set to pass.

drop_tcp_no_flag       Drop TCP with no flag set to pass.

drop_tcpland              Drop TCP Land.

drop_udpland             Drop UDP Land.

drop_winnuke            Drop TCP WinNuke.

pass_icmp_frag         Allow ICMP fragments to pass.

pass_icmpland           Allow ICMP Land to pass.

pass_ipland               Allow IP land to pass.

pass_iplsrr                 Allow IP with Loose Source Record Route option to pass.

pass_iprr                    Allow IP with Record Route option to pass.

pass_ipsecurity          Allow IP with Security option to pass.

pass_ipssrr                 Allow IP with Strict Source Record Route option to pass.

pass_ipstream           Allow IP with Stream option to pass.

pass_iptimestamp     Allow IP with Timestamp option to pass.

pass_ipunknown_

option

Allow IP with malformed option to pass.

pass_ipunknown_

prot

pass_tcp_fin_

noack

Allow IP with Unknown protocol to pass.

Allow TCP FIN with no ACT flag set to pass.

pass_tcp_no_flag      Allow TCP with no flag set to pass.

 

Anomaly                  Description

pass_tcpland             Allow TCP Land to pass.

pass_udpland            Allow UDP Land to pass.

pass_winnuke            Allow TCP WinNuke to pass.

Example

You might configure an NP4 to drop packets with TCP WinNuke or unknown IP protocol anomalies, but to pass packets with an IP time stamp, using hardware acceleration provided by the network processor.

config system interface edit port1

set fp-anomaly drop_winnuke drop_ipunknown_prot pass_iptimestamp end

 

Confirm that the traffic is accelerated

Leave a reply

Confirm that the traffic is accelerated

Use the following CLI commands to obtain the interface index and then correlate them with the session entries. In the following example traffic was flowing between new accelerated inter-VDOM links and physical ports port1 and port 2 also attached to the NP4 processor.

diagnose ip address list

IP=172.31.17.76->172.31.17.76/255.255.252.0 index=5 devname=port1

IP=10.74.1.76->10.74.1.76/255.255.252.0 index=6 devname=port2

IP=172.20.120.12->172.20.120.12/255.255.255.0 index=55 devname=IVL-VLAN1_ROOT IP=172.20.120.22->172.20.120.22/255.255.255.0 index=56 devname=IVL-VLAN1_VDOM1

 

diagnose sys session list

session info: proto=1 proto_state=00 duration=282 expire=24 timeout=0 session info: proto=1 proto_state=00 duration=124 expire=59 timeout=0 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=3

origin-shaper= reply-shaper= per_ip_shaper=

ha_id=0 policy_dir=0 tunnel=/

state=may_dirty npu

statistic(bytes/packets/allow_err): org=180/3/1 reply=120/2/1 tuples=2 orgin->sink: org pre->post, reply pre->post dev=55->5/5->55

gwy=172.31.19.254/172.20.120.22

hook=post dir=org act=snat 10.74.2.87:768->10.2.2.2:8(172.31.17.76:62464) hook=pre dir=reply act=dnat 10.2.2.2:62464->172.31.17.76:0(10.74.2.87:768) misc=0 policy_id=4 id_policy_id=0 auth_info=0 chk_client_info=0 vd=0 serial=0000004e tos=ff/ff ips_view=0 app_list=0 app=0

dd_type=0 dd_mode=0

per_ip_bandwidth meter: addr=10.74.2.87, bps=880 npu_state=00000000

npu info: flag=0x81/0x81, offload=4/4, ips_offload=0/0, epid=160/218, ipid=218/160, vlan=32769/0

 

session info: proto=1 proto_state=00 duration=124 expire=20 timeout=0 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=3

origin-shaper= reply-shaper= per_ip_shaper=

ha_id=0 policy_dir=0 tunnel=/

state=may_dirty npu

statistic(bytes/packets/allow_err): org=180/3/1 reply=120/2/1 tuples=2

orgin->sink: org pre->post, reply pre->post dev=6->56/56->6 gwy=172.20.120.12/10.74.2.87

hook=pre dir=org act=noop 10.74.2.87:768->10.2.2.2:8(0.0.0.0:0) hook=post dir=reply act=noop 10.2.2.2:768->10.74.2.87:0(0.0.0.0:0) misc=0 policy_id=3 id_policy_id=0 auth_info=0 chk_client_info=0 vd=1 serial=0000004d tos=ff/ff ips_view=0 app_list=0 app=0

dd_type=0 dd_mode=0

per_ip_bandwidth meter: addr=10.74.2.87, bps=880 npu_state=00000000

npu info: flag=0x81/0x81, offload=4/4, ips_offload=0/0, epid=219/161, ipid=161/219, vlan=0/32769

total session 2

Using VLANs to add more accelerated Inter-VDOM links

Leave a reply

Using VLANs to add more accelerated Inter-VDOM links

You can add VLAN interfaces to the accelerated inter-VDOM links to create inter-VDOM links between more VDOMs. For the links to work, the VLAN interfaces must be added to the same inter-VDOM link, must be on the same subnet, and must have the same VLAN ID.

For example, to accelerate inter-VDOM link traffic between VDOMs named Marketing and Engineering using VLANs with VLAN ID 100 go to System > Network > Interfaces and select Create New to create the VLAN interface associated with the Marketing VDOM:

Name                                           Marketing-link

Type                                            VLAN

Interface                                     npu0-vlink0

VLAN ID                                      100

Virtual Domain                          Marketing

IP/Network Mask                       172.20.120.12/24

 

Create the inter-VDOM link associated with Engineering VDOM:

Name                                           Engineering-link

Type                                            VLAN

Interface                                     npu0-vlink1

VLAN ID                                      100

Virtual Domain                          Engineering

IP/Network Mask                       172.20.120.22/24

 

Or do the same from the CLI:

 

config system interface edit Marketing-link

set vdom Marketing

set ip 172.20.120.12/24 set interface npu0-vlink0 set vlanid 100

next

edit Engineering-link set vdom Engineering

set ip 172.20.120.22/24 set interface npu0-vlink1 set vlanid 100

Configuring Inter-VDOM link acceleration with NP4 processors

Leave a reply

Configuring Inter-VDOM link acceleration with NP4 processors

FortiGate units with NP4 processors include inter-VDOM links that can be used to accelerate inter-VDOM link traffic.

Traffic is blocked if you enable IPS for traffic passing over inter-VDOM links if that traffic is being offloaded by an NP4 processor.If you disable NP4 offloading traffic will be allowed to flow. You can disable offloading in individual firewall policies by dis- abling auto-asic-offload for those policies. You can also use the following com- mand to disable all IPS offloading

config ips global

set np-accel-mode none set cp-accel-mode none

end

 

  • For a FortiGate unit with two NP4 processors there are also two inter-VDOM links, each with two interfaces:
  • npu0-vlink: npu0-vlink0 npu0-vlink1
  • npu1-vlink: npu1-vlink0 npu1-vlink1

These interfaces are visible from the GUI and CLI. For a FortiGate unit with NP4 interfaces, enter the following CLI command (output shown for a FortiGate-5001B):

get hardware npu np4 list

 

 

 

ID

  

 

Model

  

 

Slot

  

 

Interface
0 On-board   port1 port2 port3 port4
      fabric1 base1 npu0-vlink0 npu0-vlink1
1 On-board   port5 port6 port7 port8
      fabric2 base2 npu1-vlink0 npu1-vlink1

By default the interfaces in each inter-VDOM link are assigned to the root VDOM. To use these interfaces to

accelerate inter-VDOM link traffic, assign each interface in a pair to the VDOMs that you want to offload traffic between. For example, if you have added a VDOM named New-VDOM to a FortiGate unit with NP4 processors, you can go to System > Network > Interfaces and edit the npu0-vlink1 interface and set the Virtual Domain to NewVDOM.

This results in an inter-VDOM link between root and New-VDOM. You can also do this from the CLI:

config system interface edit npu0-vlink1

set vdom New-VDOM

end

NP4 IPsec VPN offloading configuration example

2 Replies

NP4 IPsec VPN offloading configuration example

Hardware accelerated IPsec processing, involving either partial or full offloading, can be achieved in either tunnel or interface mode IPsec configurations.

To achieve offloading for both encryption and decryption:

  • In Phase 1 configuration’s Advanced section, Local Gateway IP must be specified as an IP address of a network interface associated with a port attached to a network processor. (In other words, if Phase 1’s Local Gateway IP is Main Interface IP, or is specified as an IP address that is not associated with a network interface associated with a port attached to a network processor, IPsec network processing is not offloaded.)
  • In Phase 2 configuration’s P2 Proposal section, if the checkbox “Enable replay detection” is enabled, enc- offload-antireplay and dec-offload-antireplay must be set to enable in the CLI.
  • offload-ipsec-host must be set to enable in the CLI.

This section contains example IPsec configurations whose IPsec encryption and decryption processing is hardware accelerated by an NP4 unit contained in a FortiGate-5001B at both ends of the VPN tunnel.

Hardware accelerated IPsec VPN does not require both tunnel endpoints to have the same network processor model. However, if hardware is not symmetrical, the packet forwarding rate is limited by the slower side.

Pages: 1 2

NP4 IPsec VPN offloading

Leave a reply

NP4 IPsec VPN offloading

NP4 processors improve IPsec tunnel performance by offloading IPsec encryption and decryption. Requirements for hardware accelerated IPsec encryption or decryption are a modification of general offloading requirements. Differing characteristics are:

  • Origin can be local host (the FortiGate unit)
  • In Phase 1 configuration, Local Gateway IP must be specified as an IP address of a network interface for a port attached to a network processor
  • SA must have been received by the network processor
  • in Phase 2 configuration:
  • encryption algorithm must be DES, 3DES, AES-128, AES-192, AES-256, or null
  • authentication must be MD5, SHA1, or null
  • if encryption is null, authentication must not also be null
  • if replay detection is enabled, enc-offload-antireplay must also be enable in the CLI

If replay detection is enabled in the Phase 2 configuration, you can enable or disable IPsec encryption and decryption offloading from the CLI. Performance varies by those CLI options and the percentage of packets requiring encryption or decryption. For details, see NP4 IPsec VPN offloading on page 1261

To apply hardware accelerated encryption and decryption, the FortiGate unit’s main processing resources must first perform Phase 1 negotiations to establish the security association (SA). The SA includes cryptographic processing instructions required by the network processor, such as which encryption algorithms must be applied to the tunnel. After ISAKMP negotiations, the FortiGate unit’s main processing resources send the SA to the network processor, enabling the network processor to apply the negotiated hardware accelerated encryption or decryption to tunnel traffic.

 

Possible accelerated cryptographic paths are:

  • IPsec decryption offload
  • Ingress ESP packet > Offloaded decryption > Decrypted packet egress (fast path)
  • Ingress ESP packet > Offloaded decryption > Decrypted packet to FortiGate unit’s main processing resources
  • IPsec encryption offload
  • Ingress packet > Offloaded encryption > Encrypted (ESP) packet egress (fast path)
  • Packet from FortiGate unit’s main processing resources > Offloaded encryption > Encrypted (ESP) packet egress