Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
echia
Staff
Staff

Created on ‎02-27-2015 05:03 PM Edited on ‎07-03-2024 09:39 PM By Community Manager

Article Id 193493

Technical Tip: Ensuring IPSec traffic is offloaded for improved throughput

Description

 

This article describes how to ensure that IPSec traffic is offloaded for improved throughput.

 

Many FortiGate platforms include a specially designed hardware component called an ASIC which is responsible for processing certain types of traffic. One of these ASICs is called the Network Processor, or NP.

On platforms that include an NP, IPsec traffic can be offloaded to the NP to greatly reduce load on the CPU, as well as dramatically increase potential throughput on the IPsec tunnel. Traffic is offloaded separately for each direction of flow through the tunnel, meaning that there are four possible states for offloading.

The following article includes 3 sections:

  1. Answers to determine (about offload capabilities).
  2. Configuration to check (to ensure offloading).
  3. Diagnostic commands to run (to confirm that offloading is occurring).

 

Scope

 

FortiGate.

Solution

 

1. Answers to determine:

  • Check whether the device offers an NP (Network Processor) for offloading VPN traffic.
  • If the device does have an NP processor, consider which version it is.
  • Determine what Encryption/Decryption is supported by the NP processor for Offloading.

 

For more information on Hardware Acceleration and Hardware Acceleration Requirements, refer to the documentation.

 

Additionally, refer to this related KB article: Technical Tip: Interface not supported by NPU Offload to limitations on Hardware Acceleration when using certain interface types.


2. Configuration to check.
Ensure that NPU offloading is enabled in the VPN phase1:


config vpn ipsec phase1-interface
    edit phase-1-name
        set npu-offload enable
end

 

Ensure that the firewall policies created for the VPN tunnels have auto-ASIC offloading enabled:


config firewall policy
    edit <policy_id>
        set auto-asic-offload enable
end

 

3. Diagnostics to run:
The following CLI Commands can be used to verify IPsec VPN traffic offloading to NP processors:

 

diagnose vpn ipsec status


diagvpnIPSECstat2.png

 

diagnose vpn tunnel list


npu_flag=03.bmp

npu_flag=00 Means that ingress & egress ESP packets are not offloaded.
npu_flag=01 Means only egress ESP packets can be offloaded, ingress ESP packets will be handled by the kernel.
npu_flag=02 Means only ingress ESP packets can be offloaded, and egress ESP packets will be handled by the kernel.
npu_flag=03 Means that both ingress & egress ESP packets will be offloaded.

If facing performance issues, first verify that the npu_flag=03.
If the flag is 00, 01, or 02, VPN traffic is NOT offloaded properly. Verify afterward if the NPU configuration is correct.

 

Note:

If IPsec is being used on a public cloud environment (Azure, AWS) check the DOS policy and anomaly log as slow throughput can be caused by UDP 4500/500 drops. Change the threshold value or disable anomaly or DOS policy to fix this. 

NPU flags can change without phase2 rekeying. The NPU flag indicates whether the traffic processed by the NPU is bi-directional. The flag can change based on the type of traffic being processed and the current network conditions.

Labels:
71926
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.