In some cases there might be long-living sessions on the firewall that need to be keep alive in case the IPS engine is being updated/restarted.

Follow the example below, where a session with duration of '1882093' is getting restarted upon updating the IPS engine. This is expected behavior, because the session was offloaded to the IPS engine, but there is a way to apply certain configuration change to avoid that.

Before IPS engine restarts:

session info: proto=6 proto_state=11 duration=1882093 expire=3599 timeout=3600 flags=00000000 socktype=0 sockport=0 av_idx=0 use=3
orgin->sink: org pre->post, reply pre->post dev=32->37/37->32 gwy=172.16.249.9/172.16.90.33
hook=pre dir=org act=noop 172.16.90.33:65160->172.16.101.202:102(0.0.0.0:0)
hook=post dir=reply act=noop 172.16.101.202:102->172.16.90.33:65160(0.0.0.0:0)
policy_id=30
npu_state=0x1043094 ips_offload

After IPS upgrade/downgrade or IPS engine restart:

session info: proto=6 proto_state=66 duration=129 expire=4 timeout=3600 flags=00000000 socktype=0 sockport=0 av_idx=0 use=3
orgin->sink: org pre->post, reply pre->post dev=32->37/37->32 gwy=172.16.249.9/172.16.90.33
hook=pre dir=org act=noop 172.16.90.33:63767->172.16.101.202:102(0.0.0.0:0)
hook=post dir=reply act=noop 172.16.101.202:102->172.16.90.33:63767(0.0.0.0:0)
policy_id=30
npu_state=0x1043094 ips_offload

Explanation:

When NTurbo is enabled, during IPS engine update, the old ips engine will be killed and a new IPS engine will start. During this period of time, since the NTUrbo offloaded session has been pushed to NPU, the traffic keeps coming but there is no reader (IPS engine here). So the traffic will be dropped automatically.
After IPS engine update is done, the new IPS engine will start processing the incoming data. For the long-life NTurbo offloaded session, however, IPS/NTurbo can not find the necessary output interface info. The packets can not be sent out through NTurbo in this case. Instead, the traffic will be sent out through kernel.
When NTurbo is disabled, and during IPS engine update, the kernel knows that there is no reader (IPS engine) available, the traffic is not sent to IPS. Instead, it will be sent out new coming traffic directly during this period of time. After the IPS engine update is complete, there will be no noticeable difference between whether nturbo is enabled or disabled.

Configuration change:

config firewall policy
    edit 30
        set np-acceleration disable
    end

After finishing the upgrade/restart of the IPS engine, this change can be reverted to use the NP offloading function again.