Skip to main content
lizhiheng
lizhiheng
Explorer
May 28, 2025
Solved

How are the two processors (CP and NP) divided in IPsec encryption and decryption

  • May 28, 2025
  • 2 replies
  • 1281 views

Both the FortiGate Firewall content processor(CP) and the network processor(NP) have IPsec encryption and decryption functions, and there is overlap in their functions. How are the two processors divided in IPsec encryption and decryption?

Best answer by xshkurti

Both CP and NP share the same IPsec engine for packet processing and encryption/decryption. The 
NP processors are specifically designed for IPsec acceleration, allowing for higher encryption/decryption speeds. This does not mean that NP handles some particular encryptions and CP the other direction (decryption)
To summarize, the NP handles most of IPsec encryption and decryption, while the CP focuses on other security features and can step in to handle IPsec processing when necessary.

 

The only difference is that CP supports Suite-B encryption, which is a specific set of encryption algorithms. CP also takes over if traffic can not be offloaded to NP.

2 replies

kaman
Staff
kaman
Staff
May 30, 2025

Hi lizhiheng,

When an IPsec SA is offloaded to a Network Processing Unit (NPU), Content Processors (CPs) do not handle IPsec encryption and decryption. Instead, the NPU handles all eligible IPsec data encryption and decryption

When NPU offload is disabled or not available for an IPsec SA, the IPsec data packet is handled by the CPU but encryption and decryption are offloaded to the CP by default.


NOTE: Offloading IPsec processing to Network Processors (NP) removes the (en/de)‑cryption workload from the CPU, allowing:


++Much higher throughput (10–40 Gbit/s per tunnel depending on model).
++Lower latency (~30–50 µs compared to software path).
++Free CPU cycles for UTM/NGFW inspection and control‑plane tasks.


Please refer to the documents below for more information:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Ensuring-IPsec-traffic-is-offloaded-for-improved/ta-p/193493

https://community.fortinet.com/t5/FortiGate/Technical-Tip-After-upgrade-to-v7-0-14-and-later-some-FortiGate/ta-p/376746

If you have found a solution, please like and accept it to make it easily accessible to others.

Regards,
Aman

    xshkurti
    Staff
    xshkurtiAnswer
    Staff
    May 30, 2025

    Both CP and NP share the same IPsec engine for packet processing and encryption/decryption. The 
    NP processors are specifically designed for IPsec acceleration, allowing for higher encryption/decryption speeds. This does not mean that NP handles some particular encryptions and CP the other direction (decryption)
    To summarize, the NP handles most of IPsec encryption and decryption, while the CP focuses on other security features and can step in to handle IPsec processing when necessary.

     

    The only difference is that CP supports Suite-B encryption, which is a specific set of encryption algorithms. CP also takes over if traffic can not be offloaded to NP.

      Terms & ConditionsAccessibility statement