FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Not applicable

Article

Description FortiGate units do not record traffic logs for sessions offloaded to FortiGate NP2 or NP4 processors.
Components

All FortiGate units with NP2 processors, including:

  • FortiGate-3016B port3 to port18
  • FortiGate-620B port1 to port16
  • FortiGate-310B port1 to port8
  • FortiGate-RTM-XB2 (all interfaces)
  • FortiGate-ADM-XB2 (all interfaces)
  • FortiGate-ADM-FB8 (all interfaces)
  • FortiGate-ASM-FB4 (all interfaces)
NP4 based interfaces or units :  ADM-XD4 / RTM-XD2 , FortiGate 1240B.
Steps or Commands

FortiASIC NP2/NP4 network processors can improve network throughput by offloading processing of the following types of traffic:

  • traffic with small packets, such as VoIP
  • latency-sensitive traffic, such as streaming multimedia
  • traffic with long session lifetimes, such as FTP
  • IPSec VPN traffic

To improve network performance, FortiGate units can be configured to offload this traffic to the NP2/NP4 network processors. This fast path processing leverages the additional hardware resources of the NP2/NP4 processors while reducing the amount of traffic processed by the FortiGate unit main processing resources.

Note: Traffic is only processed by NP2/NP4 processors after it is accepted by a firewall policy.

To optimize performance, NP2/NP4 processors do not include traffic logging capabilities. Because of this and because offloaded traffic bypasses FortiOS, no traffic logs are generated for traffic offloaded to NP2/NP4 processors.

FortiOS does not record or display statistics for this traffic. FortiOS will however record traffic and log messages (and count packets) for the TCP session establishment packets :

SYN / SYN ACK / ACK.

If you need to record traffic logs or other statistics for traffic being offloaded to NP2/NP4 processors you can disable offloading these types of sessions by routing the traffic to other interfaces.

You can also use the "config system npu" to disable offloading of IPSec VPN traffic.
 
See also : FortiGate Hardware Acceleration Technical Note and the additional information available in the related articles.

 

Related Articles

Technical Tip : Troubleshoot and verify if traffic is hitting a Firewall Policy

Troubleshooting Tip : How to use the FortiGate sniffer and debug flow in presence of NP2 ports

How to ensure accurate counter values in traffic log when NP6 offloading is enabled

Contributors