There are some special cases where sessions may not be offloaded by NTurbo, even when NTurbo is explicitly enabled.

In these cases, the sessions are handled by the FortiGate CPU.

1. NP acceleration is disabled. For example, auto-asic-offload is disabled in the firewall policy configuration.
   
2. The firewall policy includes proxy-based security profiles.
   
3. Accepted by firewall policies that include proxy-based virus scanning, proxy-based web filtering, DNS filtering, DLP, Anti-Spam, VoIP, ICAP, Web Application Firewall, or Proxy options.
   
4. The sessions require FortiOS session-helpers. For example, FTP sessions can not be offloaded to NP processors because FTP sessions use the FTP session helper.
5. Interface policies or DoS policies have been added to the ingress or egress interface.
6. Tunneling is enabled. Traffic to some tunneled interfaces (IPinIP, SSL VPN, GRE, CAPWAP, etc.) cannot be offloaded by NTurbo.
7.  Device identification is enabled. If enabled, the session will not be offloaded until the MAC address communicating with the FortiGate has been identified.
8. If the interface is configured as PPPoE mode. PPPoE connections are handled by a PPP software process and terminated in virtual interfaces, which do not support hardware acceleration.
9. Traffic traversing, originating at, or terminating at the software interface. For example: VDOM Link, Loopback Interface, Software Switch.

To confirm if a session is not offloaded, use the command 'diag sys session list'.

It will also provide the reason why a session is not offloaded to the NPU on the no_ofld_reason field. 

Note:

Disabling the NPU offload will make the CPU handle all the traffic and it will take CPU resources.