Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Nour
Staff
Staff

Created on ‎08-13-2024 01:40 AM Edited on ‎12-17-2024 07:12 AM By Moderator

Article Id 332574

Technical Tip: High CPU/Failopen mode due to GRE traffic increasing IPSEngine load

Description This article describes the behavior seen when FortiGate IPSEngine enters fail open mode due to GRE traffic, causing high CPU and an increased load on the FortiGate.
Scope FortiGate with pass-through GRE traffic that is IPS inspected/UTM enabled.
Solution
  • FortiGate can perform two types of acceleration (offloading):
    • Network Processor level (NP6/NP7)Network processors (NP7, NP6, NP6XLite, NP6Lite, and NP4).
    • NTurbo for inspected traffic: Offloads firewall and NAT sessions from the FortiGate CPU to NP7 or NP6 network processors and distributes these sessions to different IPS engine processes spread across multiple CPU cores, ensuring a load-balanced approach for handling IPS signature/pattern matching tasks.

 

Behavior and symptoms  (v7.0/v7.2/v7.4v/7.6):

  • If IPS is enabled on a policy, and this policy is experiencing a high load of pass-through GRE traffic, notice a high CPU or even IPSEngine entering fail-open mode.
  • This can be observed by checking the crash log 'diagnose debug crashlog read' and looking for occurrences of  'IPS enter fail open mode'.
  • This can be further confirmed by observing high consumption of IPSengine processes, consuming high CPU by running 'diagnose sys top'.
  • This is mostly due to this GRE traffic not being offloaded by NTurbo. Verify by printing the session:

 

diagnose sys session filter clear <----- Clear previous filters.
diagnose sys session filter proto 47 <----- Add new filter for GRE traffic (IP protocol type 47).
diagnose sys session list <----- List the GRE session.

 

  • If noticing this GRE traffic with 'proto=47' and the following: 'no_ofld_reason: redir-to-ips', this indicates that this traffic was not offloaded and equals to denied-by-turbo in the no_ofld_reason (i.e. A session being processed by the IPS that could normally be offloaded is not supported by nTurbo).
  • The reason is, that all GRE pass-through traffic will go to IPS through kernel/raw socket since NTurbo offloading only supports TCP/UDP traffic. GRE is not TCP/UDP. Therefore, NTurbo can not offload it.
  • To overcome this, add a new policy specifically for GRE traffic with no UTM enabled, which means no IPS is involved.
  • NP hardware can support GRE offloading when UTM is disabled, however, as mentioned, NTurbo does not support GRE traffic, which is why when UTM is enabled, this traffic is not offloaded. 
    Caution: FortiGate platforms with SOC4 do not support GRE offloading.

 

Note:

It is possible to correlate the high CPU/IPSEngine fail-open with specific timestamps where an increase in GRE traffic bandwidth is seen. 
602
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.