Managing your FortiSwitch from your FortiGate is an awesome feature set that Fortinet implemented in their hardware. 5.4.1 makes it so much easier to accomplish this. Nothing sucks worse than running out of port density on your FortiGate. Now you really don’t have to worry about it (ok, you didn’t really have to before but it is neat none-the-less)
diagnose npu np6 dce <np6-id> (number of dropped NP6 packets)
This command displays the number of dropped packets for the selected NP6 processor.
diag npu np6 dce 1
IHP1_PKTCHK :0000000000001833 [5b] IPSEC0_ENGINB0 :0000000000000003 [80] TPE_SHAPER :0000000000000552 [94]
diagnose npu np6 sse-stats <np6-id> (number of NP6 sessions and dropped sessions)
This command displays the total number of inserted, deleted and purged sessions processed by a selected NP6 processor. The number of dropped sessions of each type cam be determined by subtracting the number of successfull sessions from the total number of sessions. For example, the total number of dropped insert sessions is insert-total – insert-success.
diagnose npu np6 sse-stats 0
| Counters | SSE0 | SSE1 | Total |
| ————— | ————— | ————— | ————— |
| active | 0 | 0 | 0 |
| insert-total | 25 | 0 | 0 |
| insert-success | 25 | 0 | 0 |
| delete-total | 25 | 0 | 0 |
| delete-success | 25 | 0 | 0 |
| purge-total | 0 | 0 | 0 |
| purge-success | 0 | 0 | 0 |
| search-total | 40956 | 38049 | 79005 |
| search-hit | 37714 | 29867 | 67581 |
| ————— | ————— | ————— | ————— |
| pht-size | 8421376 | 8421376 | |
| oft-size | 8355840 | 8355840 | |
| oftfree | 8355839 | 8355839 | |
| PBA | 3001 |
diagnose sys mcast-session/session6 list (IPv4 and IPv6 multicast sessions)
This command lists all IPv4 or IPv6 multicast sessions. If a multicast session can be offloaded, the output includes the offloadable tag. If the multicast path can be offloaded one of the paths in the command output is tagged as offloaded.
The only way to determine the number of offloaded multicast sessions is to use the diagnose sys mcast- session/session6 list command and count the number of sessions with the offload tag.
diagnose sys mcast-session list
session info: id=3 vf=0 proto=17 172.16.200.55.51108->239.1.1.1.7878
used=2 path=11 duration=1 expire=178 indev=6 pkts=2 state:2cpu offloadable
npu-info in-pid=0 vifid=0 in-vtag=0 npuid=0 queue=0 tae=0
path: 2cpu policy=1, outdev=2 out-vtag=0
path: 2cpu policy=1, outdev=3 out-vtag=0
path: offloaded policy=1, outdev=7 out-vtag=0
path: policy=1, outdev=8
out-vtag=0
path: policy=1, outdev=9 out-vtag=0
path: policy=1, outdev=10 out-vtag=0
path: policy=1, outdev=11 out-vtag=0
path: policy=1, outdev=12 out-vtag=0
path: policy=1, outdev=13 out-vtag=0
path: 2cpu policy=1, outdev=64 out-vtag=0
path: 2cpu policy=1, outdev=68 out-vtag=0
diagnose npu np6 ipsec-stats (NP6 IPsec statistics)
The command output includes IPv4, IPv6, and NAT46 IPsec information:
diagnose npu np6 ipsec-stats
vif_start_oid 03ed vif_end_oid 03fc
IPsec Virtual interface stats:
|
vif_get 00000000000 vif_get_expired 00000000000 vif_get_fail 00000000000 vif_get_invld 00000000000 vif_set 00000000000 vif_set_fail 00000000000 vif_clear 00000000000 vif_clear_fail 00000000000 np6_0:
diagnose npu np6 session-stats <np6-id> (number of NP6 IPv4 and IPv6 sessions)
You can use the diagnose npu np6 portlist command to list the NP6-ids and the interfaces that each NP6 is connected to. The <np6-id> of np6_0 is 0, the <np6-id> of np6_1 is 1 and so on. The diagnose npu np6 session-stats <np6-id> command output incudes the following headings:
diagnose npu np6 session-stats 0
qid ins44 ins46 del4 ins64 ins66 del6 ins44_e ins46_e del4_e ins64_e ins66_e del6_e
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Using the diagnose sys session/session6 list command
The diagnose sys session list and diagnose sys session6 list commands list all of the current IPv4 or IPv6 sessions being processed by the FortiGate. For each session the command output includes an npu info line that displays NPx offloading information for the session. If a session is not offloaded the command output includes a no_ofld_reason line that indicates why the session was not offloaded.
Displaying NP6 offloading information for a session
The npu info line of the diagnose sys session list command includes information about the offloaded session that indicates the type of processor and whether its IPsec or regular traffic:
Example offloaded IPv4 NP6 session
The following session output by the diagnose sys session list command shows an offloaded session. The information in the npu info line shows this is a regular session (flag=0x81/0x81) that is offloaded by an NP6 processor (offload=8/8).
diagnose sys session list
session info: proto=6 proto_state=01 duration=4599 expire=2753 timeout=3600 flag- s=00000000 sockflag=00000000 sockport=0 av_idx=0 use=3
origin-shaper= reply-shaper= per_ip_shaper=
ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255 state=log may_dirty npu none log-start
statistic(bytes/packets/allow_err): org=1549/20/1 reply=1090/15/1 tuples=2 speed(Bps/kbps): 0/0
orgin->sink: org pre->post, reply pre->post dev=15->17/17->15 gwy=172.20.121.2/5.5.5.33
hook=post dir=org act=snat 5.5.5.33:60656->91.190.218.66:12350 (172.20.121.135:60656)
hook=pre dir=reply act=dnat 91.190.218.66:12350->172.20.121.135:60656 (5.5.5.33:60656)
pos/(before,after) 0/(0,0), 0/(0,0)
src_mac=98:90:96:af:89:b9
misc=0 policy_id=1 auth_info=0 chk_client_info=0 vd=0 serial=00058b9c tos=ff/ff app_list=0 app=0 url_cat=0
dd_type=0 dd_mode=0 npu_state=0x000c00
npu info: flag=0x81/0x81, offload=8/8, ips_offload=0/0, epid=140/138, ipid=138/140, vlan=0x0000/0x0000
vlifid=138/140, vtag_in=0x0000/0x0000 in_npu=1/1, out_npu=1/1, fwd_en=0/0, qid=0/2
Example IPv4 session that is not offloaded
The following session, output by the diagnose sys session list command includes the no_ofld_reason line that indicates that the session was not offloaded because it is a local-in session.
session info: proto=6 proto_state=01 duration=19 expire=3597 timeout=3600 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=3
origin-shaper= reply-shaper= per_ip_shaper=
ha_id=0 policy_dir=0 tunnel=/ vlan_cos=8/8 state=local may_dirty
statistic(bytes/packets/allow_err): org=6338/15/1 reply=7129/12/1 tuples=2 speed(Bps/kbps): 680/5
orgin->sink: org pre->in, reply out->post dev=15->50/50->15 gwy=5.5.5.5/0.0.0.0 hook=pre dir=org act=noop 5.5.5.33:60567->5.5.5.5:443(0.0.0.0:0)
hook=post dir=reply act=noop 5.5.5.5:443->5.5.5.33:60567(0.0.0.0:0)
pos/(before,after) 0/(0,0), 0/(0,0)
src_mac=98:90:96:af:89:b9
misc=0 policy_id=0 auth_info=0 chk_client_info=0 vd=0 serial=000645d8 tos=ff/ff app_list=0 app=0 url_cat=0 dd_type=0 dd_mode=0
npu_state=00000000
no_ofld_reason: local
Example IPv4 IPsec NP6 session
diagnose sys session list
session info: proto=6 proto_state=01 duration=34 expire=3565 timeout=3600 flag- s=00000000 sockflag=00000000 sockport=0 av_idx=0 use=3
origin-shaper= reply-shaper= per_ip_shaper=
ha_id=0 policy_dir=0 tunnel=/p1-vdom2 state=re may_dirty npu
statistic(bytes/packets/allow_err): org=112/2/1 reply=112/2/1 tuples=2 orgin->sink: org pre->post, reply pre->post dev=57->7/7->57 gwy- y=10.1.100.11/11.11.11.1
hook=pre dir=org act=noop 172.16.200.55:35254->10.1.100.11:80(0.0.0.0:0) hook=post dir=reply act=noop 10.1.100.11:80->172.16.200.55:35254(0.0.0.0:0) pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=1 id_policy_id=0 auth_info=0 chk_client_info=0 vd=4 serial=00002d29 tos=ff/ff ips_view=0 app_list=0 app=0
dd_type=0 dd_mode=0
per_ip_bandwidth meter: addr=172.16.200.55, bps=260 npu_state=00000000
npu info: flag=0x81/0x82, offload=8/8, ips_offload=0/0, epid=1/3, ipid=3/1, vlan- n=32779/0
Example IPv6 NP6 session
diagnose sys session6 list
session6 info: proto=6 proto_state=01 duration=2 expire=3597 timeout=3600 flag- s=00000000 sockport=0 sockflag=0 use=3
origin-shaper= reply-shaper= per_ip_shaper= ha_id=0
policy_dir=0 tunnel=/
state=may_dirty npu
statistic(bytes/packets/allow_err): org=152/2/0 reply=152/2/0 tuples=2 speed(Bps/kbps): 0/0
orgin->sink: org pre->post, reply pre->post dev=13->14/14->13
hook=pre dir=org act=noop 2000:172:16:200::55:59145 ->2000:10:1:100::11:80(:::0) hook=post dir=reply act=noop 2000:10:1:100::11:80 ->2000:172:16:200::55:59145 (:::0)
misc=0 policy_id=1 auth_info=0 chk_client_info=0 vd=0 serial=0000027a npu_state=0x000c00
npu info: flag=0x81/0x81, offload=8/8, ips_offload=0/0, epid=137/136, ipid- d=136/137, vlan=0/0
Example NAT46 NP6 session
diagnose sys session list
session info: proto=6 proto_state=01 duration=19 expire=3580 timeout=3600 flag- s=00000000 sockflag=00000000 sockport=0 av_idx=0 use=3
origin-shaper= reply-shaper= per_ip_shaper=
ha_id=0 policy_dir=0 tunnel=/
state=npu nlb
statistic(bytes/packets/allow_err): org=112/2/1 reply=112/2/1 tuples=2 speed(Bps/kbps): 0/0
orgin->sink: org nataf->post, reply pre->org dev=52->14/14->52 gwy- y=0.0.0.0/10.1.100.1
hook=5 dir=org act=noop 10.1.100.1:21937->10.1.100.11:80(0.0.0.0:0)
hook=6 dir=reply act=noop 10.1.100.11:80->10.1.100.1:21937(0.0.0.0:0)
hook=pre dir=org act=noop 2000:172:16:200::55:33945 ->64:ff9b::a01:640b:80(:::0) hook=post dir=reply act=noop 64:ff9b::a01:640b:80 ->2000:172:16:200::55:33945 (:::0)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=1 auth_info=0 chk_client_info=0 vd=0 serial=04051aae tos=ff/ff ips_view=0 app_list=0 app=0 dd_type=0 dd_mode=0
npu_state=00000000
npu info: flag=0x81/0x00, offload=0/8, ips_offload=0/0, epid=0/136, ipid=0/137, vlan=0/0
Example NAT64 NP6 session
diagnose sys session6 list
session6 info: proto=6 proto_state=01 duration=36 expire=3563 timeout=3600 flag- s=00000000 sockport=0 sockflag=0 use=3
origin-shaper= reply-shaper= per_ip_shaper= ha_id=0
policy_dir=0 tunnel=/
state=may_dirty npu nlb
statistic(bytes/packets/allow_err): org=72/1/0 reply=152/2/0 tuples=2 speed(Bps/kbps): 0/0
orgin->sink: org pre->org, reply nataf->post dev=13->14/14->13
hook=pre dir=org act=noop 2000:172:16:200::55:33945 ->64:ff9b::a01:640b:80(:::0) hook=post dir=reply act=noop 64:ff9b::a01:640b:80 ->2000:172:16:200::55:33945 (:::0)
hook=5 dir=org act=noop 10.1.100.1:21937->10.1.100.11:80(0.0.0.0:0) hook=6 dir=reply act=noop 10.1.100.11:80->10.1.100.1:21937(0.0.0.0:0) misc=0 policy_id=1 auth_info=0 chk_client_info=0 vd=0 serial=0000027b npu_state=00000000
npu info: flag=0x00/0x81, offload=8/0, ips_offload=0/0, epid=137/0, ipid=136/0, vlan=0/0
Using diagnose npu np6 npu-feature to verify enabled NP6 features
You can use the diagnose npu np6 npu-feature command to see what NP6 features are enabled and which are not. The following command output shows the normal default NP6 configuration for most FortiGates. In this output all features are enabled except low latency features and GRE offloading. Low latency is only available on the FortiGate-3700D and DX models and GRE offloading will become available in a future FortiOS release. The following output is from a FortiGate-1500D
diagnose npu np6 npu-feature
np_0 np_1
——————- ——— ——— Fastpath Enabled Enabled Low-latency-mode Disabled Disabled
Low-latency-cap No No
| IPv4 | firewall | Yes | Yes |
| IPv6 | firewall | Yes | Yes |
| IPv4 | IPSec | Yes | Yes |
| IPv6 | IPSec | Yes | Yes |
| IPv4 | tunnel | Yes | Yes |
| IPv6 | tunnel | Yes | Yes |
| GRE tunnel | No | No | |
| IPv4 Multicast | Yes | Yes | |
| IPv6 Multicast | Yes | Yes | |
| CAPWAP | Yes | Yes | |
If you use the following command to disable fastpath for np_0:
config system np6 edit np6_0
set fastpath disable end
The npu-feature command output show this configuration change:
diagnose npu np6 npu-feature
np_0 np_1
|
|||||||||||||||||||||||||||||||||||||||||
——————- ——— ——— Fastpath Disabled Enabled Low-latency-mode Disabled Disabled Low-latency-cap No No