Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Jackie_T
Staff
Staff

Created on ‎11-10-2021 02:36 AM Edited on ‎09-01-2024 10:56 AM By Staff

Article Id 191256

Technical Tip: FortiGate Disable Hardware Acceleration

Description

 

This article describes how to disable offloading sessions to NPU (hardware acceleration) on FortiGate models that support hardware acceleration, like disabling the ASIC offload in the NGFW mode. Disabling it means the primary CPU of the FortiGate will handle the traffic. This method is used for troubleshooting purposes.
 
Scope
 
FortiGate with NP processors.
 
Solution

 

Some FortiGate models support hardware acceleration which comes with a special processing unit known as NPU.
There are different NPU types depending on the model: NP4, NP6, NP6XLite, NP6Lite, and NP7.
Here is a list of the most recent units and their processors: Technical Tip: Hardware Acceleration Processors
 
How to disable hardware acceleration depends on the NP processor type.
 
NP7.
For models with NP7 processors, it is only possible to disable hardware acceleration per individual firewall policies. 
 
NP6 and others.

In NGFW mode, two policies are available:

  • Security Policy.
  • SSL inspection and Authentication.

Security policies do not allow disabling the session offloading to NPU (hardware acceleration).

 

security policy.png

 

'SSL inspection and Authentication' policy (firewall policy) allows the user to disable offloading:

 

config firewall policy

    edit 1

        set auto-asic-offload disable
end
 
Note: the setting np-acceleration will be explicitly disabled when the auto-asic-offload will be disabled. 
There is no need to disable it additionally (where this command is available: set np-accelleration disable), no type of offloading will take place with auto-asic-offload set to disable.
 
It is also possible to disable hardware acceleration for individual IPsec VPN tunnels:
 
config vpn ipsec phase1-interface
    edit phase-1-name
        set npu-offload disable
end
 
For models with NP6 processors, it is possible to disable offloading for all traffic:
 
config system npu
    set fastpath disable
end
 
For models with an NP6XLite processor, it is also possible to disable offloading for all traffic:
 
config system np6xlite
    edit np6xlite_0
        set fastpath disable
end
 
Fastpath is enabled by default.
This command disables offloading for individual NP6XLite processors, in the example, np6xlite_0.
Alternatively, for NP6 and related processors, it is possible to use the following diagnose command to temporarily disable NP6 hardware acceleration. Using this method, the hardware acceleration will be enabled again when rebooting the FortiGate.
 
diagnose npu <processor-name> fastpath disable <id>
     
'processor-name' can be np6, np6xlite, or np6lite.
'id' specifies the ID of the NP6, NP6XLite, or NP6XLite processor, as multiple processors can be available.
 
From v7.6.0, it is possible to delay the NPU offload for all TCP sessions globally.
Refer to the below doc for more information:
 
Labels:
46786
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.