By default, management-related user space processes like SSH, HTTPS to the FortiGate can be scheduled to run on any CPU core.

diagnose sys process pidof httpsd
9489 

FortiGate-4801F # fnsysctl cat /proc/9489/status
Name: httpsd
Umask: 0022
State: S (sleeping)
Tgid: 9489

.

.

Cpus_allowed: ffff,ffffffff,ffffffff,ffffffff     <----- httpsd can be scheduled on available cores.
Cpus_allowed_list: 0-111                           <----- httpsd can be scheduled on all of the 112 cores.

• In situations when devices are under heavy load and CPU utilization on all individual cores are high, performing a configuration change or other management-related CPU-intensive tasks can result in traffic drops.
• To avoid such a situation, enable dedicated-management-cpu on the FortiGate.
• This feature relocates all the traffic related interrupts raised by NP6/NP7 chips away from CPU0.
• After enabling dedicated-management-cpu feature, user space applications like https/ssh are now scheduled to run on CPU0 as shown below.

FortiGate-4801F # diagnose sys process pidof httpsd
9489

FortiGate-4801F # fnsysctl cat /proc/9489/status
Name: httpsd
Umask: 0022
State: S (sleeping)
Tgid: 9489
Cpus_allowed: 0000,00000000,00000000,00000001    >>> Allowed to be scheduled on CPU0
Cpus_allowed_list: 0                             >>> Allowed to be scheduled on CPU0
voluntary_ctxt_switches: 80850
nonvoluntary_ctxt_switches: 3

This happens because dedicated-management-affinity is automatically set to 1 when dedicated-management-cpu is enabled.

config system npu                     <----- Check show full system npu | grep management
set dedicated-management-cpu enable

set dedicated-management-affinity "1" <----- Management processes to run on CPU0.

• The command dedicated-management-affinity is used to control the scheduling of user-space applications related to device management like SSH and HTTPS.

Example use case:

Problem:

Dedicated-management-affinity is very useful in scenarios where  CPU0 needs to be dedicated to perform kernel-related processing of priority traffic like BGP, BFD, LAC,P etc.

In such a situation, CPU0 should be saved from being used for CPU-intensive management operations and management-related user space processes.

Solution:

To meet this requirement, change the CPU affinities for processes like HTTPS/SSH using the dedicated-management-affinity command away from CPU0.

FortiGate-4801F # config sys npu

FortiGate-4801F (npu) # set dedicated-management-affinity fffffffffffffffffffffffffffe

FortiGate-4801F (npu) # end

FortiGate-4801F # fnsysctl cat /proc/9489/status
Name: httpsd
Umask: 0022
State: S (sleeping)
Tgid: 9489
Cpus_allowed: ffff,ffffffff,ffffffff,fffffffe       <----- httpsd can be scheduled on all cores except CPU0.
Cpus_allowed_list: 1-111                            <----- CPU0 is not in allowed list.
voluntary_ctxt_switches: 82179
nonvoluntary_ctxt_switches: 3

In effect, CPU0 is freed from:

1. Processing NP6/NP7 generated traffic interrupts by enabling dedicated-management-cpu.
2. Handling management-related operations and intensive tasks by changing the dedicated-management-affinity to use all cores except CPU0.