Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Markus_M
Staff
Staff

Created on ‎09-02-2019 07:29 AM

Article Id 196337

Technical Tip: Interface not supported by NPU Offload

Description
This article explains limitations of the NP processor.

Certain interfaces are unable to support NP offloading.

These limits apply to virtual/software interfaces that are presented here below.


Loopback interface.

A loopback interface is a logical interface that is always up (no physical link dependency).
It is widely used to form a BGP setup with neighbors and is used as an IPsec VPN tunnel interface.

Since the interface is a software interface, it will not permit to offload to network processors.

Example of Loopback interface.
#config system interface
    edit "Lo1"
        set vdom "root"
        set ip 192.168.1.33 255.255.255.255
        set allowaccess ping
        set type loopback
        set snmp-index 50
    next
end
Software switch.

Software switches are supported in certain models of FortiGate.
All of the interfaces in this virtual switch act like interfaces in a hardware switch.
In that, it has the same IP address and can be connected to the same network.

The FortiGate CPU is used to maintain the mac-port table, hence traffic would not be handled by network processors

Example of software switch interface.
#config system virtual-switch
    edit "internal"
        set physical-switch "sw0"
        config port
            edit "internal1"
            next
            edit "internal2"
            next
end
PPPoE Interface.

PPPoE is commonly used to connect to the provider edge.
It is handled by a PPP software process and connections are terminated in virtual interfaces where traffic is not able to be handled by hardware acceleration.

Example of PPPoE interface.
#config system interface
    edit "wan1"
        set vdom "root"
        set mode pppoe
        set allowaccess ping
        set type physical
        set scan-botnet-connections block
        set role wan
        set snmp-index 1
        config ipv6
            set ip6-mode dhcp
        end
        set username "user@abc.com"
         set dns-server-override disable
    next

Solution
Use physical or VLAN interfaces that bind to fixed ports in order for traffic offloading to NP (network processors).

Related link concerning NP6 and NP6 lite acceleration:

https://help.fortinet.com/fos60hlp/60/Content/FortiOS/fortigate-hardware-acceleration/NP6.htm?Highli...

Labels:
8872
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.​

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2023 Fortinet, Inc. All Rights Reserved.