FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
dingjerry_FTNT
Article Id 195621

Description

On FortiGate models which use NP6 network processors, the packet and byte counts in traffic logs for offloaded traffic are inaccurate when using the default settings.

The following are two example logs:

*** When offloading (default in firewall)
4: date=2014-08-14 time=11:36:10 logid=0000000013 type=traffic subtype=forward level=notice vd=root srcip=172.16.200.55 srcport=50072 srcintf="amc-sw2/1" dstip=10.1.100.111 dstport=80 dstintf="amc-sw2/2" sessionid=362 action=close policyid=1 dstcountry="Reserved" srccountry="Reserved" trandisp=noop service="HTTP" proto=6 duration=4 sentbyte=164 rcvdbyte=1385 sentpkt=3 rcvdpkt=2

*** When offloading is disabled
1: date=2014-08-14 time=11:52:58 logid=0000000013 type=traffic subtype=forward level=notice vd=root srcip=172.16.200.55 srcport=44068 srcintf="amc-sw2/1" dstip=10.1.100.111 dstport=80 dstintf="amc-sw2/2" sessionid=544 action=close policyid=1 dstcountry="Reserved" srccountry="Reserved" trandisp=noop service="HTTP" proto=6 duration=4 sentbyte=731882 rcvdbyte=37795489 sentpkt=13414 rcvdpkt=25200


Scope

FortiGate model with NP6 running V5.0 or V5.2.


Solution

For NP6 offloading, enabling per-session-accounting will ensure accurate traffic log counters:

config global
config system np6
edit np6_0
set per-session-accounting enable
next
edit np6_1
set per-session-accounting enable
end

The CLI command "diagnose npu np6 port-list" can be used to determine which ports are associated with "np6_0" and "np6_1".

With the "per-session-accounting" enabled, accurate counts will be obtained in the traffic log when NP6 offloading is enabled.

Warning: Please be aware that enabling per-session-accounting has a significant performance impact and for this reason is disabled by default.

 

Related Articles

Technical Tip: Information about traffic log counters for NP2 or NP4 offloaded sessions

NPU diagnostics and configuration (NP4, NP6)

Contributors