Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
dingjerry_FTNT
Staff
Staff

Created on ‎02-14-2025 08:06 AM Edited on ‎04-15-2025 12:57 AM By Moderator

Article Id 376454

Technical Tip: GRE + IPSec not supported for NP7 offloading

Description This article describes one scenario (GRE + IPSec) that is unsupported for NP7 offloading.
Scope FortiGate.
Solution

NP7 offloading supports the GRE tunnel, including terminating on FortiGate or passing through FortiGate.NP7 offloading supports the IPSec VPN tunnel.

However, if the traffic is GRE + IPSec VPN, whether it is GRE passing through the IPSec VPN or GRE over IPSec, it is not supported for NP7 offloading.

 

The workaround is to configure 2 VDOMs, with IPSec terminated in 1 VDOM and GRE terminated in another VDOM.

 

For example:

  • Root VDOM is used to establish VPN to the remote side.
  • DMZ VDOM is used to establish GRE tunnel to remote side.

 

Picture1.png

 

Picture2.png

  

Related documents:

NP7 session fast path requirements

Tunneling protocols that can be offloaded by NP7 processors

Protocols that can be offloaded by NP7 processors
447
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.