Description
On FortiGate models which use NP6 network processors, the packet and byte counts in traffic logs for offloaded traffic are inaccurate when using the default settings.
The following are two example logs:
*** When offloading (default in firewall)
4: date=2014-08-14 time=11:36:10 logid=0000000013 type=traffic subtype=forward level=notice vd=root srcip=172.16.200.55 srcport=50072 srcintf="amc-sw2/1" dstip=10.1.100.111 dstport=80 dstintf="amc-sw2/2" sessionid=362 action=close policyid=1 dstcountry="Reserved" srccountry="Reserved" trandisp=noop service="HTTP" proto=6 duration=4 sentbyte=164 rcvdbyte=1385 sentpkt=3 rcvdpkt=2
*** When offloading is disabled
1: date=2014-08-14 time=11:52:58 logid=0000000013 type=traffic subtype=forward level=notice vd=root srcip=172.16.200.55 srcport=44068 srcintf="amc-sw2/1" dstip=10.1.100.111 dstport=80 dstintf="amc-sw2/2" sessionid=544 action=close policyid=1 dstcountry="Reserved" srccountry="Reserved" trandisp=noop service="HTTP" proto=6 duration=4 sentbyte=731882 rcvdbyte=37795489 sentpkt=13414 rcvdpkt=25200
Scope
FortiGate model with NP6 running V5.0 or V5.2.
Solution
For NP6 offloading, enabling per-session-accounting will ensure accurate traffic log counters:
config global
config system np6
edit np6_0
set per-session-accounting enable
next
edit np6_1
set per-session-accounting enable
end
The CLI command "diagnose npu np6 port-list" can be used to determine which ports are associated with "np6_0" and "np6_1".
With the "per-session-accounting" enabled, accurate counts will be obtained in the traffic log when NP6 offloading is enabled.
Warning: Please be aware that enabling per-session-accounting has a significant performance impact and for this reason is disabled by default.
Related Articles
Technical Tip: Information about traffic log counters for NP2 or NP4 offloaded sessions
NPU diagnostics and configuration (NP4, NP6)