| Solution |
There are some special cases where sessions may not be offloaded by NTurbo, even when NTurbo is explicitly enabled.
In these cases, the sessions are handled by the FortiGate CPU.
- NP acceleration is disabled. For example, auto-asic-offload is disabled in the firewall policy configuration.
- The firewall policy includes proxy-based security profiles.
- Accepted by firewall policies that include proxy-based virus scanning, proxy-based web filtering, DNS filtering, DLP, Anti-Spam, VoIP, ICAP, Web Application Firewall, or Proxy options.
- The sessions require FortiOS session-helpers. For example, FTP sessions can not be offloaded to NP processors because FTP sessions use the FTP session helper.
- Interface policies or DoS policies have been added to the ingress or egress interface.
- Tunneling is enabled. Traffic to some tunneled interfaces (IPinIP, SSL VPN, GRE, CAPWAP, etc.) cannot be offloaded by NTurbo.
- Device identification is enabled. If enabled, the session will not be offloaded until the MAC address communicating with the FortiGate has been identified.
- If the interface is configured as PPPoE mode. PPPoE connections are handled by a PPP software process and terminated in virtual interfaces, which do not support hardware acceleration.
- Traffic traversing, originating at, or terminating at the software interface. For example: VDOM Link, Loopback Interface, Software Switch.
To confirm if a session is not offloaded, use the command 'diag sys session list'.
It will also provide the reason why a session is not offloaded to the NPU on the no_ofld_reason field.
Note:
Disabling the NPU offload will make the CPU handle all the traffic and it will take CPU resources.
|
