Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
sgiannogloudis
Staff
Staff

Created on ‎11-25-2019 06:48 AM Edited on ‎11-23-2024 06:11 AM By Moderator

Article Id 193727

Technical Tip: Nturbo functions within FortiOS

Description

 
This article describes the Nturbo feature which is a Fortinet’s hardware ASIC that improves the overall IPS performance. The particular component is installed between the NP6 and the IPS engines. It uses load balance algorithms to dynamically distribute the load to the available IPS engines. All devices which have NP6 or SOC3-based processors can benefit from this particular feature. 
 
Scope
 
FortiGate.


Solution

 

Feature Verification.

 

  1. Nturbo can be enabled or even disabled globally on the box with the below commands:

    config ips global
        set np-accel-mode [none | basic]                             <----- None: Disables Nturbo, Basic: Enables Nturbo.

 

If the np-accel-mode option is not available on the firewall, it means that the FortiGate model does not support NTurbo.

 

Some FortiGate models on NP6/NP6Lite/NP6xLite platforms experience unexpected behavior due to certain traffic conditions after upgrading to 7.2.8. Traffic may be interrupted momentarily.

 

Users impacted by this issue can contact Fortinet Support. Alternatively, users can disable the processing of traffic by the IPS engine’s nTurbo as a workaround, by using the following command:

 

config ips global

    set np-accel-mode none

end

 

The issue has been reported as Bug id 1012518 and it has been resolved in 7.2.9.

 

  1. Furthermore, Nturbo can be disabled on a per-policy basis with the below commands:

     

 

For IPv4 security policies: 


config firewall policy
    edit <X>
        set np-acceleration enable/disable


For IPv6 security policies: 

 

config firewall policy6
    edit <X>
        set np-acceleration enable/disable

 

For multicast security policies: 

 

config firewall multicast- policy
    edit <X>
        set np-acceleration enable/disable

 

To observe more advanced Nturbo statistics, issue the command:

 

diagnose test application ipsmonitor 14

Nturbo Limitations.

 

  1. Device Identification:

    Interfaces that are involved in the firewall policies must have device identification disabled.

  2. Session helpers:

    All the sessions that are being handled by session helpers cannot be offloaded to Nturbo.

  3. Proxy-based features:

    Proxy-based applications such as proxy Antivirus should not be enabled on the firewall policies.
    As of 6.2.0 also, firewall policies involved in traffic should be configured in flow-based inspection mode.

  4. Protocols:

    Protocols other than TCP, and UDP cannot be offloaded to Nturbo.
16850
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.