FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
lvannstruth
Staff
Staff
Article Id 315052
Description

This article describes how to identify when fragmented UDP packets are dropped due to taking the NTurbo path on NP7 platforms and how to resolve the drops.

Scope

NP7 FortiGates.

Solution

When a FortiGate equipped with NP7 processors is forwarding IPS-inspected traffic through a flow-based firewall policy, if this traffic is UDP AND is fragmented then the traffic may get dropped.

 

These drops occur when fragmented UDP packets take the NTurbo path inside the FortiGate. The only traffic that will take this path is on sessions that are NP7-accelerated, and have IPS/Application Control/flow-based Antivirus or flow-based web filtering applied. Traffic taking the NP7 path (no security inspection) and traffic taking the CPU path(any traffic that cannot be offloaded) are not affected by this fragmentation issue.

 

Refer here for the conditions on traffic being NP7 accelerated, note that NTurbo has more specific requirements:

NP7 session fast path requirements

 

 

NTurbo fragmentation drops can be identified by the CLI command ‘diagnose test ipsmonitor 14’. If traffic is being dropped, then the ‘drop(decode)’ counter will be incremented.

 

diagnose test app ipsmonitor 14’ output without any drops:


pre drop screenshot.png

 

diagnose test app ipsmonitor 14’ output after fragmented UDP traffic has been sent through this NP7 FortiGate:


post drops screenshot.png

 

Note:

The ‘decode’ drops are distributed across several NTurbo engines, and the presence of decode NTurbo drops in general does not necessarily indicate that UDP traffic is being dropped due to fragmentation.

 

To resolve this issue, the IP-reassembly CLI-only option can enabled under the NP7 configuration.

The NP7 processor is capable of reassembling up to two fragmented packets into a single packet before the packet is sent to the CPU for security inspection. If traffic is being fragmented into more than two packets, then it will still get dropped even with IP-reassembly enabled. Disabling NTurbo is required to stop drops for packets fragmented into three or more packets.

 

The CLI commands to enable ip-reassembly are as follows:

config system npu

    config ip-reassembly

        set status enable

    end

end

 

There are two additional configurable values within the ip-reassembly configuration, these being the ‘max-timeout’ and ‘min-timeout’ settings.

config system npu

config ip-reassembly

    set min-timeout <microseconds>

    set max-timeout <microseconds>

end


The default value for min-timeout is 64 µs and for the max-timeout is 200,000 µs. These settings are sensitive and may require tuning depending on the network topology.

 

Enabling IP-reassembly is a global setting across all NP7s on a FortiGate, and will apply to all fragmented traffic.

Enabling this setting will not impact CPU/memory consumption on its own, though the additional traffic being inspected instead of dropped may increase the performance load.

 

Refer to this article for more information on NTurbo, including how to disable it:

Technical Tip: Nturbo functions within FortiOS

 

Refer to the administrative guide for more information on what traffic can be handled by NTurbo:

NTurbo offloads flow-based processing