Profile-based NGFW mode FortiGates are more common than policy-based. There are a few operations that are routine on a profile-based NGFW mode FortiGate, but are more difficult to perform on a policy-based one. On a profile-based based, whatever change needs to be done on a policy itself, it is done with a 'right-click' on the Policy -> Edit in CLI.

However, in policy-based NGFW FortiGates, it is a bit different. The outlook is as in the picture below:

One of the challenges of a profile-based NGFW mode firewall is disabling hardware acceleration. Disabling hardware acceleration to users used to profile-based might add more confusion, as the usual step would be to identify the firewall policy for which you need advanced troubleshooting, and easily right click on the Policy -> edit in CLI, and the command to be issued is 'set auto-asic offload disable'..

NPU offload cannot be turned off in a firewall security policy:

As the command for the interesting traffic is issued, policy_id=2 and ngwfid=3 can be noticed. If ngwfid refers to the security policy, what does policy_id refer to?

As per the SSL Inspection & Authentication policies, there are two polices configured:

For this firewall policy, the offload can be disabled, so policy_id refers to SSL Inspection & Authentication policy:

The result: offload is disabled.

More information regarding the NGFW policy can be found in the document below:

NGFW policy