FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
sgiannogloudis

Description

Nturbo is a Fortinet’s hardware ASIC which improves the overall IPS performance. The particular component is installed between the NP6 and the IPS engines. It uses load balance algorithms to dynamically distribute the load to the available IPS engines. All devise which have NP6 or SOC3 based processors can benefit from the particular feature.
 
This article describes this feature.


Solution
Feature Verification.

1) Nturbo can be enabled or even disabling globally on the box with these below commands:

#config ips global
    set np-accel-mode [none | basic]                             <----- None: Disables Nturbo, Basic: Enables Nturbo.

If the np-accel-mode option is not available on the firewall, it means that FortiGate model does not support NTurbo.

 

2) Furthermore, Nturbo can be disabled on a per policy basis with these below commands:

#config firewall policy
    edit <X>
        set np-accelation enable/disable

To observe more advanced Nturbo statistics, issue the command:

#diagnose test application ipsmonitor 14


Nturbo Limitations.

1) Device Identification:

Interfaces which are involved on the firewall policies must have device identification disabled.

2) Session helpers:

All the sessions which are being handled by session helpers cannot be offloaded to Nturbo.

3) Proxy based features:

Proxy based applications such as proxy AV should not be enabled on the firewall policies.
As of 6.2.0 also, firewall policies involved in traffic should be configured in flow based inspection mode.

4) Interface policy or DDoS policies:

Physical ports which belong on the traffic must not have any interface or DDoS policies configured.

5) Protocols:

Protocols other than TCP, UDP cannot be offloaded to Nturbo.


Contributors