Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
nathan_h
Staff
Staff

Created on ‎12-02-2024 09:52 PM

Article Id 361664

Technical Tip: CPU usage comparison with VRF Leaking using Non-NP and NP vlink

Description

 

This article shows that VRF leaking with NP vlink can lessen the CPU usage.

 

Scope

 

FortiGate.

 

Solution

 

  1. NON-NP VDOM Link.

 

Network Topology:

FortiTester as Sender -> [User VLAN] VRF 11 - Fortigate 101F [NON-VRF11-0] -> [NON-VRF11-1] VRF 1 - Fortigate 101F [INTERNET] -> FortiTester as Receiver

 

Firewall Policy:

 

2024-12-01 14 56 49.png

 

Generated Enterprise Mixed Traffic:

 

2024-12-01 14 59 35.png

get sys performance status
CPU states: 31% user 12% system 0% nice 31% idle 0% iowait 0% irq 26% softirq
CPU0 states: 34% user 16% system 0% nice 25% idle 0% iowait 0% irq 25% softirq
CPU1 states: 8% user 2% system 0% nice 66% idle 0% iowait 0% irq 24% softirq
CPU2 states: 27% user 12% system 0% nice 28% idle 0% iowait 0% irq 33% softirq
CPU3 states: 33% user 15% system 0% nice 26% idle 0% iowait 0% irq 26% softirq
CPU4 states: 37% user 14% system 0% nice 24% idle 0% iowait 0% irq 25% softirq
CPU5 states: 35% user 12% system 0% nice 26% idle 0% iowait 0% irq 27% softirq
CPU6 states: 35% user 14% system 0% nice 25% idle 0% iowait 0% irq 26% softirq
CPU7 states: 38% user 11% system 0% nice 25% idle 0% iowait 0% irq 26% softirq
Memory: 3701336k total, 1742416k used (47.1%), 1519624k free (41.1%), 439296k freeable (11.8%)
Average network usage: 653521 / 654282 kbps in 1 minute, 98362 / 98484 kbps in 10 minutes, 96965 / 97087 kbps in 30 minutes
Maximal network usage: 732769 / 733595 kbps in 1 minute, 732769 / 733595 kbps in 10 minutes, 746510 / 747358 kbps in 30 minutes
Average sessions: 3707 sessions in 1 minute, 1190 sessions in 10 minutes, 991 sessions in 30 minutes
Maximal sessions: 4591 sessions in 1 minute, 4592 sessions in 10 minutes, 5820 sessions in 30 minutes
Average session setup rate: 1911 sessions per second in last 1 minute, 293 sessions per second in last 10 minutes, 297 sessions per second in last 30 minutes
Maximal session setup rate: 2143 sessions per second in last 1 minute, 2148 sessions per second in last 10 minutes, 2179 sessions per second in last 30 minutes
Average NPU sessions: 0 sessions in last 1 minute, 0 sessions in last 10 minutes, 0 sessions in last 30 minutes
Maximal NPU sessions: 0 sessions in last 1 minute, 0 sessions in last 10 minutes, 0 sessions in last 30 minutes
Average nTurbo sessions: 0 sessions in last 1 minute, 0 sessions in last 10 minutes, 0 sessions in last 30 minutes
Maximal nTurbo sessions: 0 sessions in last 1 minute, 0 sessions in last 10 minutes, 0 sessions in last 30 minutes
....


diag sys top 1 30 1
Run Time: 3 days, 5 hours and 9 minutes
29U, 0N, 11S, 35I, 0WA, 0HI, 25SI, 0ST; 3614T, 1481F
ipsengine 403 R < 66.0 1.3 6
ipsengine 404 S < 65.0 1.3 7
ipsengine 400 R < 64.5 1.3 3
ipsengine 401 R < 64.5 1.3 4
ipsengine 399 R < 62.0 1.3 2
ipsengine 402 R < 60.0 1.3 5
ipsengine 398 S < 54.6 1.4 0
....

 

  1. NP VDOM Link.

 

Network Topology:

FortiTester as Sender -> [User VLAN] VRF 11 - Fortigate 101F [NPUVLAN0] -> [NPUVLAN1] VRF 1 - Fortigate 101F [INTERNET] -> FortiTester as Receiver

 

2024-12-01 15 15 53.png

 

(root) # sudo global get sys performance status
CPU states: 24% user 5% system 0% nice 63% idle 0% iowait 0% irq 8% softirq
CPU0 states: 23% user 8% system 0% nice 66% idle 0% iowait 0% irq 3% softirq
CPU1 states: 7% user 0% system 0% nice 62% idle 0% iowait 0% irq 31% softirq
CPU2 states: 26% user 6% system 0% nice 62% idle 0% iowait 0% irq 6% softirq
CPU3 states: 25% user 7% system 0% nice 65% idle 0% iowait 0% irq 3% softirq
CPU4 states: 29% user 5% system 0% nice 63% idle 0% iowait 0% irq 3% softirq
CPU5 states: 27% user 6% system 0% nice 63% idle 0% iowait 0% irq 4% softirq
CPU6 states: 28% user 5% system 0% nice 62% idle 0% iowait 0% irq 5% softirq
CPU7 states: 25% user 6% system 0% nice 64% idle 0% iowait 0% irq 5% softirq
Memory: 3701336k total, 1742640k used (47.1%), 1520552k free (41.1%), 438144k freeable (11.8%)
Average network usage: 591837 / 592563 kbps in 1 minute, 204458 / 204714 kbps in 10 minutes, 154765 / 154955 kbps in 30 minutes
Maximal network usage: 653126 / 653862 kbps in 1 minute, 683497 / 684307 kbps in 10 minutes, 746510 / 747358 kbps in 30 minutes
Average sessions: 5424 sessions in 1 minute, 2624 sessions in 10 minutes, 1988 sessions in 30 minutes
Maximal sessions: 6393 sessions in 1 minute, 7544 sessions in 10 minutes, 7544 sessions in 30 minutes
Average session setup rate: 1737 sessions per second in last 1 minute, 643 sessions per second in last 10 minutes, 471 sessions per second in last 30 minutes
Maximal session setup rate: 2033 sessions per second in last 1 minute, 2189 sessions per second in last 10 minutes, 2189 sessions per second in last 30 minutes
Average NPU sessions: 3142 sessions in last 1 minute, 1313 sessions in last 10 minutes, 437 sessions in last 30 minutes
Maximal NPU sessions: 4064 sessions in last 1 minute, 4064 sessions in last 10 minutes, 4064 sessions in last 30 minutes
Average nTurbo sessions: 1635 sessions in last 1 minute, 669 sessions in last 10 minutes, 223 sessions in last 30 minutes
Maximal nTurbo sessions: 2094 sessions in last 1 minute, 2094 sessions in last 10 minutes, 2094 sessions in last 30 minutes
....

 

(root) # diag sys top 1 30 1
Run Time: 3 days, 5 hours and 25 minutes
25U, 0N, 6S, 61I, 0WA, 0HI, 8SI, 0ST; 3614T, 1485F
ipsengine 398 R < 40.8 1.4 0
ipsengine 399 S < 36.9 1.3 2
ipsengine 402 S < 36.9 1.3 5
ipsengine 403 R < 35.4 1.3 6
ipsengine 401 R < 33.9 1.3 4
ipsengine 404 R < 30.5 1.3 7
ipsengine 400 S < 29.0 1.3 3
....

 

The CPU utilization improves on the second test. NPU and NTurbo sessions increased. NPU VDOM link interfaces support traffic offloading.

 

Related documents:

Difference and understanding between NPU Vdom link, NPU Vdom link with VLAN and Vdom link 

Route leaking between multiple VRFs 

160
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.