FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Jackie_T
Staff
Staff
Article Id 191256

Description

 

This article describes how to disable offloading sessions to NPU (hardware acceleration) on FortiGate models that support hardware acceleration.
This method is used for troubleshooting purpose.
 
Related documents:


Solution

 

Some FortiGate models support hardware acceleration which come with a special processing unit known as NPU. Types of NPU you might see depends on the model: NP6, NP6XLite, NP6Lite, and NP7.
How to disable hardware acceleration depends on the NP processor:
 
For models with NP7 processors, you must disable hardware acceleration for individual firewall policies. For example:
# config firewall policy
    edit 1
      set auto-asic-offload disable
    end
You can also disable hardware acceleration for individual IPsec VPN tunnels:
# config vpn ipsec phase1-interface
    edit phase-1-name
      set npu-offload disable
    end
For model with NP6 and related processors you can disable offloading for all traffic:
# config system npu
    set fastpath disable
end
For models with an NP6XLite processor you can also disable offloading for all traffic:
# config system np6xlite
    edit np6xlite_0
set fastpath disable
    end
 
fastpath is enabled by default. This command disables offloading for individual NP6XLite processors, in the example, np6xlite_0.
 
Alternatively, for NP6 and related processors you can use the following diagnose command to temporarily disable NP6 hardware acceleration.
Using this method, the hardware acceleration will be enabled again when you reboot the FortiGate.
 
Example command:
 
# diagnose npu <processor-name> fastpath disable <id>
 
'processor-name' can be np6, np6xlite, or np6lite.
'id' specify the ID of the NP6, NP6XLite, or NP6XLite processor for which to disable offloading.