Description
This article describes how to disable offloading sessions to NPU (hardware acceleration) on FortiGate models that support hardware acceleration, like disabling the ASIC offload in the NGFW mode. Disabling it means the primary CPU of the FortiGate will handle the traffic. This method is used for troubleshooting purposes.
Scope
FortiGate with NP processors.
Solution
Some FortiGate models support hardware acceleration which comes with a special processing unit known as NPU.
There are different NPU types depending on the model: NP4, NP6, NP6XLite, NP6Lite, and NP7.
Here is a list of the most recent units and their processors: Technical Tip: Hardware Acceleration Processors
How to disable hardware acceleration depends on the NP processor type.
NP7.
For models with NP7 processors, it is only possible to disable hardware acceleration per individual firewall policies.
NP6 and others.
In NGFW mode, two policies are available:
- Security Policy (NGFW mode : policy-based).
- SSL inspection and Authentication (NGFW mode : profile-based).
Security policies do not allow disabling the session offloading to NPU (hardware acceleration).
It is however possible to disable it globally:
config ips global
set np-accel-mode none
end
Note:
This command may impact existing traffic. Disabling it globally will make all traffic be handled by the CPU. Monitor the CPU usage so it is not high. More information: Technical Tip: Nturbo functions within FortiOS
To disable np-acceleration (nTurbo) on a policy level:
config firewall policy
edit 1
set np-acceleration disable
next
end
Note:
The option to disable np-acceleration is only available when FortiOS is in profile-based NGFW mode only. for differences between profile-based and policy-based modes the following article provides detailed information: Technical Tip: Profile-based policies vs Policy-based policies.
When trying to capture the packets on WebGUI, the user might get the below message. Use the below command 'auto-asic-offload' to disable the respective firewall policy.
'SSL inspection and Authentication' policy (firewall policy) allows the user to disable offloading:
config firewall policy
edit 1
set auto-asic-offload disable
end
Note:
The setting np-acceleration will be explicitly disabled when the auto-asic-offload will be disabled.
There is no need to disable it additionally (where this command is available: set np-accelleration disable), no type of offloading will take place with auto-asic-offload set to disable.
It is also possible to disable hardware acceleration for individual IPsec VPN tunnels:
config vpn ipsec phase1-interface
edit phase-1-name
set npu-offload disable
end
For models with NP6 processors, it is possible to disable offloading for all traffic:
config system npu
set fastpath disable
end
For models with an NP6XLite processor, it is also possible to disable offloading for all traffic:
config system np6xlite
edit np6xlite_0
set fastpath disable
end
Fastpath is enabled by default.
This command disables offloading for individual NP6XLite processors, in the example, np6xlite_0.
Alternatively, for NP6 and related processors, it is possible to use the following diagnosis command to temporarily disable NP6 hardware acceleration. Using this method, the hardware acceleration will be enabled again when rebooting the FortiGate.
diagnose npu <processor-name> fastpath disable <id>
'processor-name' can be np6, np6xlite, or np6lite.
'id' specifies the ID of the NP6, NP6XLite, or NP6XLite processor, as multiple processors can be available.
From v7.6.0, it is possible to delay the NPU offload for all TCP sessions globally.
Refer to the below doc for more information:
