Description

This article explains limitations of the NP processor.

Certain interfaces are unable to support NP offloading.

These limits apply to virtual/software interfaces that are presented here below.

Scope

FortiGate.

Solution

Loopback interface.

A loopback interface is a logical interface that is always up (no physical link dependency).
It is widely used to form a BGP setup with neighbors and is used as an IPsec VPN tunnel interface.

Since the interface is a software interface, it will not permit offloading to network processors.

Example of Loopback interface.

config system interface
    edit "Lo1"
        set vdom "root"
        set ip 192.168.1.33 255.255.255.255
        set allowaccess ping
        set type loopback
        set snmp-index 50
    next
end

Note:

For devices with NP7, running on FortiOS 7.0.6 and 7.2.1 and above, hardware acceleration is supported on Loopback interfaces.

Refer to the below KB article:

Technical Tip: Information about IPsec on loopback interface and hardware acceleration

Software switch.

Software switches are supported in certain models of FortiGate.
All of the interfaces in this virtual switch act like interfaces in a hardware switch.
In that, it has the same IP address and can be connected to the same network.

The FortiGate CPU is used to maintain the mac-port table, hence traffic would not be handled by network processors.

Example of a software switch interface.

config system switch-interface
    edit <interface>
        set vdom <vdom>
        set member <interface_list>
        set type switch
    next
end

PPPoE Interface.

PPPoE is commonly used to connect to the provider edge.
It is handled by a PPP software process and connections are terminated in virtual interfaces where traffic is not able to be handled by hardware acceleration.

Example of PPPoE interface.

config system interface
    edit "wan1"
        set vdom "root"
        set mode pppoe
        set allowaccess ping
        set type physical
        set scan-botnet-connections block
        set role wan
        set snmp-index 1
            config ipv6
                set ip6-mode dhcp
            end
        set username "user@abc.com"
        set dns-server-override disable
    next

IPsec VPN over EMAC-VLAN.

IPsec VPN over EMAC-VLAN interface does not support NPU Offload due to kernel and NPU limitations. VNE tunnel sessions are one of the exceptions where the session can be offloaded only by the SOC4 (NP6XLITE) platform and not with SOC3.

EMAC VLAN traffic does not support offloading on NP6/NP6xlite (SOC4) versions. Releases of v6.2.8, v6.4.9, and v7.0.2 have disabled EMAC offloading on NP6/NP6xlite (SOC4) where it is not supported (such as IPsec) due to packet drops and bugs in earlier releases which do not support EMAC VLAN offloading.

Example of IPsec VPN over EMAC-VLAN interface.

config system interface

    edit "VLAN200"

        set vdom "root"

        set interface "wan2"
        set vlanid 200

    next

    edit "AS-EMAC"

        set vdom "AS"

        set ip 10.0.200.99 255.255.255.0
        set allowaccess ping
        set type emac-vlan
        set interface "VLAN200"

    next

end

config vdom

    edit AS

        config vpn ipsec phase1-interface

            edit "AS-VPN"

                set interface "AS-EMAC"  <- The IPSec VPN is bound to the EMAC-VLAN Interface.
                set peertype any
                set net-device disable
                set proposal aes128-sha256
                set remote-gw 10.0.58.158
                set psksecret *******

            next

Use physical or VLAN interfaces that bind to fixed ports for traffic offloading to NP (network processors).

The VDOM link will not support NPU acceleration and & offload.

Related link concerning NP6 and NP6 lite acceleration:
NP6 and NP6lite acceleration

Technical Tip: Difference and understanding between NPU Vdom link, NPU Vdom link with VLAN and Vdom ...