Solution |
There are some special cases where sessions may not be offloaded by NTurbo, even when NTurbo is explicitly enabled.
In these cases, the sessions are handled by the FortiGate CPU.
- NP acceleration is disabled. For example, auto-ASIC offload is disabled in the firewall policy configuration.
- The firewall policy includes proxy-based security profiles.
- Accepted by firewall policies that include proxy-based virus scanning, proxy-based web filtering, DNS filtering, DLP, Anti-Spam, VoIP, ICAP, Web Application Firewall, or Proxy options.
- The sessions require FortiOS session-helpers. For example, FTP sessions can not be offloaded to NP processors because FTP sessions use the FTP session helper.
- Interface policies or DoS policies have been added to the ingress or egress interface.
- Tunneling is enabled. Traffic to some tunneled interfaces (IPinIP, SSL VPN, GRE, CAPWAP, etc.) cannot be offloaded by NTurbo.
- Device identification is enabled. If enabled, the session will not be offloaded until the MAC address communicating with the FortiGate has been identified.
- If the interface is configured in PPPoE mode. PPPoE connections are handled by a PPP software process and terminated in virtual interfaces, which do not support hardware acceleration.
- Traffic traversing, originating at, or terminating at the software interface. For example: VDOM Link, Loopback Interface, Software Switch.
- The ingress and egress interfaces are on different NPUs and must use the CPU to forward the traffic. This is only an issue for certain models that do not use an internal switch fabric to join multiple NPUs together. See more details in this article: Technical Tip: Potential cause of NPU non-offloading reason ‘non-npu-intf’ for sessions in FortiGate...
To confirm if a session is not offloaded, use the command 'diagnose sys session list'. It will also provide the reason why a session is not offloaded to the NPU on the no_ofld_reason field.
Use the following document to gain more details on the reason: diagnose sys session list no_ofld_reason field
Note:
- Disabling the NPU offload will make the CPU handle all the traffic, and it will take CPU resources.
- The FortiGate VM platform does not support hardware acceleration (NPU), and from the session list, the following outputs are expected behaviours:
no_ofld_reason: redir-to-av auth
no_ofld_reason: block-by-ips redir-to-ips denied-by-nturbo
no_ofld_reason: redir-to-ips denied-by-nturb
- Analogous to the physical NP found in physical appliances, the Virtual Security Processing Units (vSPU) can be configured on the specific FortiGate VM.
- Virtual Security Processing Units (vSPUs) on FortiGate VM mimic the physical NP (Network Processor) found in hardware appliances, providing dedicated hardware acceleration for security functions, and can be configured to improve performance and security.
- According to the Fortinet KVM Administration Guide (version 7.6.0), vSPUs are virtualised security modules that can be added or removed through the FortiGate VM’s configuration interface, allowing flexible deployment tailored to specific security needs
- This setup ensures that high-performance security processing is maintained in virtualised environments, supporting scalable and efficient security management.
Follow this related document: FortiGate vSPU
|