| Solution |
On a FortiGate, after a session completes the TCP 3-way handshake, the proto state of the session is marked as 11. At this stage, FortiGate makes a decision whether or not to offload a session. If the session is offloaded, the session list shows offload status accordingly.
Here is an example of a session in proto_state=11 and offloaded:
session info: proto=6 proto_state=11 duration=0 expire=3599 timeout=3600 refresh_dir=both flags=00000000 socktype=0 sockport=0 av_idx=0 use=4
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/0
state=may_dirty ndr npu
statistic(bytes/packets/allow_err): org=88/2/1 reply=48/1/1 tuples=3
tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 0/0
orgin->sink: org pre->post, reply pre->post dev=7->22/22->7 gwy=0.0.0.0/0.0.0.0
hook=post dir=org act=snat 17.1.2.4:47024->33.1.1.100:80(33.1.1.150:47024)
hook=pre dir=reply act=dnat 33.1.1.100:80->33.1.1.150:47024(17.1.2.4:47024)
hook=post dir=reply act=noop 33.1.1.100:80->17.1.2.4:47024(0.0.0.0:0)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=1 pol_uuid_idx=646 auth_info=0 chk_client_info=0 vd=0
serial=000fc58c tos=ff/ff app_list=0 app=0 url_cat=0
rpdb_link_id=00000000 ngfwid=n/a
npu_state=0x003c94 ips_offload ofld-O ofld-R
npu info: flag=0x81/0x81, offload=9/9, ips_offload=1/1, epid=12/12, ipid=128/143, vlan=0x0000/0x0000
vlifid=128/143, vtag_in=0x0000/0x0000 in_npu=1/1, out_npu=1/1, fwd_en=0/0, qid=6/11, ha_divert=0/0
total session: 1
Important flags in the above session:
- The state has ndr and npu - ndr represents that the session is being inspected by IPS and npu represents that the session is being hardware-accelerated.
- 'offload=9/9, ips_offload=1/1. These flags represent that the session is being offloaded to IPS and also uses NP.
Once the IPS sees enough packets to decide on the flow, it transfers the offload from NTurbo to NP completely. At this time, the IPS prints the following outputs to the debug:
[9633@997]ips_run_session_verdict_check: serial=1033612 session is PASSED HURRY
[9633@997]ips_set_pkt_verdict: action=PASS_SESSION
[9633@997]ips_handle_pkt_verdict: pass a session, size=40
This is the same session in the session table looks like:
session info: proto=6 proto_state=11 duration=3 expire=3597 timeout=3600 refresh_dir=both flags=00000000 socktype=0 sockport=0 av_idx=0 use=4
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/0
state=may_dirty npu
statistic(bytes/packets/allow_err): org=128/3/1 reply=3048/3/1 tuples=3
tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 0/0
orgin->sink: org pre->post, reply pre->post dev=7->22/22->7 gwy=0.0.0.0/0.0.0.0
hook=post dir=org act=snat 17.1.2.4:47024->33.1.1.100:80(33.1.1.150:47024)
hook=pre dir=reply act=dnat 33.1.1.100:80->33.1.1.150:47024(17.1.2.4:47024)
hook=post dir=reply act=noop 33.1.1.100:80->17.1.2.4:47024(0.0.0.0:0)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=1 pol_uuid_idx=646 auth_info=0 chk_client_info=0 vd=0
serial=000fc58c tos=ff/ff app_list=0 app=0 url_cat=0
rpdb_link_id=00000000 ngfwid=n/a
npu_state=0x003c08 ofld-O ofld-R
npu info: flag=0x81/0x81, offload=9/9, ips_offload=0/0, epid=143/128, ipid=128/143, vlan=0x0000/0x0000
vlifid=128/143, vtag_in=0x0000/0x0000 in_npu=1/1, out_npu=1/1, fwd_en=0/0, qid=6/11, ha_divert=0/0
The 'state' does not have 'ndr' anymore, and the ips_offload is now 0/0. This represents that the IPS has seen enough data to mark it as clean and move this from NTurbo to NP7 to continue processing the traffic.
However, there are special conditions where IPS continues to process the entire flow using NTurbo. This happens when there is a Web Filter attached to the policy or when SSL full decryption is enabled.
Related documents:
NTurbo offloads flow-based processing
Troubleshooting Tip: FortiGate session table information
|
