Description
This article describes how to disable offloading sessions to NPU (hardware acceleration) on FortiGate models that support hardware acceleration, like disabling the ASIC offload in the NGFW mode. Disabling it means the primary CPU of the FortiGate will handle the traffic. This method is used for troubleshooting purposes.
Scope
FortiGate with NP processors.
Solution
Some FortiGate models support hardware acceleration, which comes with a special processing unit known as NPU. There are different NPU types depending on the model: NP4, NP6, NP6XLite, NP6Lite, and NP7. Here is a list of the most recent units and their processors: Technical Tip: Hardware Acceleration Processors
How to disable hardware acceleration depends on the NP processor type and NGFW mode.
NGFW profile-based mode:
In the default NGFW mode, disabling hardware acceleration for traffic is usually done individually on the relevant firewall policies similar to NP7, see Disabling NP offloading for firewall policies.
In the default NGFW mode, disabling hardware acceleration for traffic is usually done individually on the relevant firewall policies similar to NP7, see Disabling NP offloading for firewall policies.
NGFW policy-based mode:
In NGFW policy-based mode, two sets of policies are applied to all traffic:
- Security Policy ('config firewall security-policy').
- SSL inspection and Authentication ('config firewall policy').
Security policies do not allow disabling the session offloading to NPU (hardware acceleration):
FGT-A # config firewall security-policy
FGT-A (security-policy) # edit 1
new entry '1' added
FGT-A (1) # set auto-asic-offload disable
command parse error before 'auto-asic-offload'
Command fail. Return code -61
FGT-A (1) # set np-acceleration disable
command parse error before 'np-acceleration'
Command fail. Return code -61
FGT-A (1) #
Disabling hardware acceleration is one of the recommended steps while troubleshooting various network connectivity issues.
To perform this on a profile-based firewall, it is important to track which SSL Inspection & Authentication policy this secure firewall policy is hitting. Usually, for users who are not that familiar with the policy-based mode, the policies look like the picture below:
To track and confirm which SSL Inspection & Authentication policy is being hit, see Technical Tip: How to identify firewall and security policies in a policy based NGFW mode
It is not recommended to disable the auto-ASIC offload on this firewall policy, therefore, a new policy should be created with the parameters that are troubleshooted, and the policy should be edited in the CLI.
After the creation of this policy, edit in cli and "set auto-asic offload disable":
config firewall policy
edit 2
set auto-asic-offload disable
next
end
Another option would be to disable it globally, but it is a good practice to cause as little impact as possible:
config ips global
set np-accel-mode none
end
Note:
This command may impact existing traffic. Disabling it globally will make all traffic be handled by the CPU. Monitor the CPU usage so it is not high. More information: Technical Tip: Nturbo functions within FortiOS
To disable np-acceleration (nTurbo) on a policy level:
config firewall policy
edit 1
set np-acceleration disable
next
end
Note:
The option to disable np-acceleration is only available when FortiOS is in profile-based NGFW mode only. for differences between profile-based and policy-based modes, the following article provides detailed information: Technical Tip: Profile-based policies vs Policy-based policies.
When trying to capture the packets on WebGUI, the user might get the following message. Use the below command 'auto-asic-offload' to disable the respective firewall policy.
'SSL inspection and Authentication' policy (firewall policy) allows the user to disable offloading:
config firewall policy
edit 1
set auto-asic-offload disable
end
Note:
The setting np-acceleration will be explicitly disabled when the auto-asic-offload will be disabled. There is no need to disable it additionally (where this command is available: set np-acceleration disable), no type of offloading will take place with auto-asic-offload set to disable.
It is also possible to disable hardware acceleration for individual IPsec VPN tunnels:
config vpn ipsec phase1-interface
edit phase-1-name
set npu-offload disable
next
end
NP7:
For models with NP7 processors, it is only possible to disable hardware acceleration on individual firewall policies.
Disable offloading globally for NP6 models:
config system npu
set fastpath disable <-- enabled by default.
end
Disabling offloading globally for NP6XLite models:
Disabling fastpath on SOC4 platforms (NP6XLite) is the equivalent of disabling npu-offload on all phase1-interface(s) and disabling auto-asic-offload on all firewall policies.
config system np6xlite
edit np6xlite_0
set fastpath disable <-- enabled by default.
next
end
Alternatively, for NP6 and related processors, it is possible to use the following diagnosis command to temporarily disable NP6 hardware acceleration. Using this method, the hardware acceleration will be enabled again when rebooting the FortiGate.
diagnose npu <processor-name> fastpath disable <id>
'processor-name' can be np6, np6xlite, or np6lite. 'id' specifies the ID of the NP6, NP6XLite, or NP6XLite processor, as multiple processors can be available.
From v7.6.0, it is possible to delay the NPU offload for all TCP sessions globally. Refer to the below doc for more information:
