Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Anonymous
Not applicable

Created on ‎03-27-2022 04:11 AM Edited on ‎10-30-2025 11:38 PM By Staff

Article Id 207610

Technical Tip: EMAC VLAN support with NP offloading

Description This article describes the support of EMAC VLAN with NP offloading.
Scope FortiGate.
Solution

The Media Access Control (MAC) Virtual Local Area Network (VLAN) feature in Linux allows configuring multiple virtual interfaces with different MAC addresses (and therefore different IP addresses) on a physical interface.

 

FortiGate implements an enhanced MAC VLAN consisting of a MAC VLAN with bridge functionality. Refer to the following document for more information on the EMAC VLAN functionality of FortiGate: Enhanced MAC VLANs

 

The following points should be considered before configuring EMAC VLAN in the environment:

  • NP6 only partially supports EMAC VLAN offloading. For example, traffic between EMAC VLANS (where the emac-vlan is not assigned a VLAN ID) is not offloaded.
  • NP6 offload is disabled for IPsec over pure EMAC VLANs (where the emac-vlan is not assigned a VLAN ID), see notes.

 

So, for cases that have issues with EMAC VLAN when offloading is enabled, apply the following workaround/fix for the issue:

 

It is possible to disable NPU offloading on the policy and/or IPSec phase 1 using an EMAC VLAN interface:

 

config firewall policy

    edit <id>

        set auto-asic-offload disable

end

 

config vpn ipsec phase1-interface

    edit <tunnel_name>

        set npu-offload disable

end

 

NP6xlite behaves the same as NP6, so EMAC VLAN offloading to NPU is only partially supported by the ASICs. The same workaround/fix will work, as mentioned for NP6.

 

Note:

  • Due to some restrictions on offloading EMAC VLAN traffic, newer FortiOS releases (starting v6.2.8, v6.4.9, v7.0.2) will disable the EMAC VLAN traffic offloading to NP6 or NP6xlite (SoC4) for scenarios where it is not supported, which is the case of IPSec.
  • Starting with v7.6.4, EMAC offloading support has been introduced for SOC4 platforms. This enhancement prevents MAC address flapping, ensuring that the same MAC address is retained before and after the offload process. The problem is addressed under issue ID 114861. Resolved issues 7.6.4 
  • Consider using the NP7 platform if offloading traffic over the EMAC VLAN interface is of priority, as NP7 processors are better with EMAC offload.

 

Labels:
5104
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2026 Fortinet, Inc. All Rights Reserved.