|
Whenever possible, FortiGates offload traffic from CPU to NP (Network Processor), such as IPv4, IPv6, unicast, and multicast, radically speeding up functions and improving performance.
More information about NP and FortiASIC in general can be found in the following links:
There are scenarios where having the traffic completely offloaded to the NP can lead to issues.
The npu-neighbor-update command was introduced to tune a specific NP behavior: when UDP traffic is offloaded on the NP,
FortiGate can send ARP probes/NDP solicitations to devices.
The feature was introduced in the following FortiOS firmware releases:
- v7.0.14.
- v7.2.8.
- v7.4.2.
- v7.4.4.
- All newer releases.
config system global
(global) # set npu-neighbor-update [enable/disable]
This is useful in scenarios with unidirectional UDP traffic. For instance:
- A FortiGate between clients that sends logs on UDP port 514 to a Syslog server.
- The Syslog server never sends traffic.
Provided that the UDP traffic matches a firewall policy with auto-asic-offload set to enabled (as per default), UDP traffic sent to the Syslog server is eventually offloaded from the CPU to the NP.
Since the Syslog server never sends any traffic, its MAC address entry will eventually age out and be removed from the mac-address table of the switches. Switches will flood UDP traffic, potentially impacting other important traffic flows.
With npu-neighbor-update set to enabled, FortiGate can send ARP Probes (or NDP solicitations) to the devices where UDP sessions are offloaded in NP, avoiding the aging out of their mac-address entry in the mac-address tables.
|
