Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
echia
Staff
Staff

Created on ‎02-27-2015 05:03 PM Edited on ‎10-05-2023 08:24 AM By Moderator

Article Id 193493

Technical Tip: Ensuring IPSec traffic is offloaded for improved throughput

Description

 

This article describes how to ensure that IPSec traffic is offloaded for improved throughput.

 

Many FortiGate platforms include a specially designed hardware component called an ASIC which is responsible for processing certain types of traffic. One of these ASICs is called the Network Processor, or NP.

On platforms that include an NP, IPsec traffic can be offloaded to the NP to greatly reduce load on the CPU, as well as dramatically increase potential throughput on the IPsec tunnel. Traffic is offloaded separately for each direction of flow through the tunnel, meaning that there are four possible states for offloading.

The following article includes 3 sections:

  1. Answers to determine (about offload capabilities).
  2. Configuration to check (to ensure offloading).
  3. Diagnostic commands to run (to confirm that offloading is occurring).

 

Scope

 

FortiGate.

Solution

 

1. Answers to determine.

 

  • Check whether the device offers an NP (Network Processor) for offloading VPN traffic.
  • If the device does have an NP processor, consider which version it is.
  • Determine what Encryption/Decryption is supported by the NP processor for Offloading.

 

For more information on Hardware Acceleration and Hardware Acceleration Requirements, refer to the documentation.

 

Additionally refer to this article related to limitations on Hardware Acceleration when using certain interfaces types.


2. Configuration to check.

Ensure that NPU offloading is enabled in the VPN phase1:


config vpn ipsec phase1-interface
    edit phase-1-name
        set npu-offload enable
end

 

Ensure that the firewall policies created for the VPN tunnels have auto-ASIC offloading enabled:


config firewall policy
    edit <policy_id>
        set auto-asic-offload enable
end

 

3. Diagnostics to run:

The following CLI Commands can be used to verify IPsec VPN traffic offloading to NP processors:

 

diagnose vpn ipsec status


diagvpnIPSECstat2.png

 

diagnose vpn tunnel list


npu_flag=03.bmp
npu_flag=00 Means that ingress & egress ESP packets are not offloaded.
npu_flag=01 Means only egress ESP packets can be offloaded, ingress ESP packets will be handled by the kernel.
npu_flag=02 Means only ingress ESP packets can be offloaded, and egress ESP packets will be handled by the kernel.
npu_flag=03 Means that both ingress & egress ESP packets will be offloaded.

If facing performance issues, first verify that the npu_flag=03.
If the flag is 00, 01, or 02, VPN traffic is NOT offloaded properly. Verify afterwards if the NPU configuration is correct.

 

NOTE: If IPsec is being used on a public cloud environment (Azure, AWS) check the DOS policy and anomaly log as slow throughput can be caused by UDP 4500/500 drops. Change the threshold value or disable anomaly or DOS policy to fix this. 

61252
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.