Description

This article explains IPSA offloads flow-based advanced pattern matching.

Scope

FortiGate.

Solution

IPSA offloads advanced or enhanced pattern-matching operations required for flow-based content processing to CP8 and CP9 Content Processors.
IPSA offloads enhanced pattern matching for NTurbo firewall sessions and firewall sessions that are not offloaded to NP processors.
When IPSA is turned on, flow-based pattern databases are compiled and downloaded to the content processors from the IPS engine and IPS database.
Flow-based pattern matching requests are redirected to the CP hardware reducing the load on the FortiGate CPU and accelerating pattern matching.

IF IPSA is supported on the FortiGate, use the following command to configure it:

config ips global
    set cp-accel-mode {advanced | basic | none}
end

• none: CPx acceleration/offloading disabled.
• basic: offloads basic pattern matching to CPx processors.
• advanced: offloads more types of pattern matching resulting in higher throughput than basic mode.

'advanced' is only available on FortiGate models with two or more CP8s or one or more CP9s.
If the cp-accel-mode option is not available, then the FortiGate does not support IPSA.

On FortiGates with one CP8, the default cp-accel-mode is basic.
Setting the mode to advanced does not change the types of pattern matching that are offloaded.

On FortiGates with two or more CP8s or one or more CP9s the default cp-accel-mode is advanced.
Set the mode to basic to offload fewer types of pattern matching.

As of FortiOS v7.6.0 and above, in lower FortiGate models with 2GB memory, the default setting for cp-accel-mode changes to none.

See the release notes.