Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Jackie_T
Staff
Staff

Created on ‎11-10-2021 02:36 AM Edited on ‎05-16-2025 09:25 AM By Moderator

Article Id 191256

Technical Tip: FortiGate Disable Hardware Acceleration

Description

 

This article describes how to disable offloading sessions to NPU (hardware acceleration) on FortiGate models that support hardware acceleration, like disabling the ASIC offload in the NGFW mode. Disabling it means the primary CPU of the FortiGate will handle the traffic. This method is used for troubleshooting purposes.
 
Scope
 
FortiGate with NP processors.
 
Solution

 

Some FortiGate models support hardware acceleration which comes with a special processing unit known as NPU.
There are different NPU types depending on the model: NP4, NP6, NP6XLite, NP6Lite, and NP7.
Here is a list of the most recent units and their processors: Technical Tip: Hardware Acceleration Processors
 
How to disable hardware acceleration depends on the NP processor type.
 
NP7.
For models with NP7 processors, it is only possible to disable hardware acceleration per individual firewall policies. 
 
NP6 and others.

In NGFW mode, two policies are available:

  • Security Policy (NGFW mode : policy-based).
  • SSL inspection and Authentication (NGFW mode : profile-based).

Security policies do not allow disabling the session offloading to NPU (hardware acceleration).

 

security policy.png

 

Disabling hardware acceleration is one of the recommended steps while troubleshooting various network connectivity issues. In order to perform this on a profile based firewall, it is important to track which SSL Inspection & Authentication policy this secure firewall policy is hitting. Usually for the users that are not that familiar with the policy based mode, the policies look like the picture below:

 

 

edit 2.jpg

 

It is not recommended to disable the auto-asic offload on this firewall policy, therefore a new policy should be created with the parameters that are troubleshooted and the policy should be edited in cli.

 

edit 22.jpg

 

After the creation of this policy, edit in cli and "set auto-asic offload disable":

 

config firewall policy
 edit 2
  set auto-asic-offload disable
 next
end

 

Another option would be to disable it globally, but it is a good practice to cause as less impact as possible:

 

config ips global

    set np-accel-mode none

end

 

Note:

This command may impact existing traffic. Disabling it globally will make all traffic be handled by the CPU. Monitor the CPU usage so it is not high. More information: Technical Tip: Nturbo functions within FortiOS 

 

To disable np-acceleration (nTurbo) on a policy level:

 

      config firewall policy

       edit 1

           set np-acceleration disable

       next

   end

 

Note:

The option to disable np-acceleration is only available when FortiOS is in profile-based NGFW mode only. for differences between profile-based and policy-based modes the following article provides detailed information: Technical Tip: Profile-based policies vs Policy-based policies.

When trying to capture the packets on WebGUI, the user might get the below message. Use the below command 'auto-asic-offload' to disable the respective firewall policy.

 

1(2).png

 

'SSL inspection and Authentication' policy (firewall policy) allows the user to disable offloading:

 

config firewall policy

    edit 1

        set auto-asic-offload disable
end
 
Note:
The setting np-acceleration will be explicitly disabled when the auto-asic-offload will be disabled. 
There is no need to disable it additionally (where this command is available: set np-accelleration disable), no type of offloading will take place with auto-asic-offload set to disable.
 
It is also possible to disable hardware acceleration for individual IPsec VPN tunnels:
 
config vpn ipsec phase1-interface
    edit phase-1-name
        set npu-offload disable
end
 
For models with NP6 processors, it is possible to disable offloading for all traffic:
 
config system npu
    set fastpath disable
end
 
For models with an NP6XLite processor, it is also possible to disable offloading for all traffic:
 
config system np6xlite
    edit np6xlite_0
        set fastpath disable
end
 
Fastpath is enabled by default.
This command disables offloading for individual NP6XLite processors, in the example, np6xlite_0.
Alternatively, for NP6 and related processors, it is possible to use the following diagnosis command to temporarily disable NP6 hardware acceleration. Using this method, the hardware acceleration will be enabled again when rebooting the FortiGate.
 
diagnose npu <processor-name> fastpath disable <id>
     
'processor-name' can be np6, np6xlite, or np6lite.
'id' specifies the ID of the NP6, NP6XLite, or NP6XLite processor, as multiple processors can be available.
 
From v7.6.0, it is possible to delay the NPU offload for all TCP sessions globally.
Refer to the below doc for more information:
 
Labels:
64630
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.