Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
AlexC-FTNT
Staff
Staff

Created on ‎08-21-2024 02:59 AM

Article Id 335104

Troubleshooting Tip: How to check if NP6 is overloaded

Description

 

This article describes the NP overloading repeated questions.

 

Scope

 

FortiGate with NP processors.

 

Solution

 

NP processors do not have a counter for 'load' or a way to signal when 'overloaded'.

When the load is high, they will not be capable of processing new packets, so there will be packet drops (not processed).

Depending on the type of packets processed, or the step when they are dropped, they can be checked through diagnostic commands.

 

The most common one to show (ONLY) the packet drops (choose the command that suits the NP in the FortiGate unit):

Important Note: every time the command is running, the counters are also reset to 0.

Running the command repeatedly is necessary and it will show if counters are currently increasing, or if the first command is showing historical data.

 

diagnose npu np6 dce 0 <-- /1 - repeat the command for the number of NPs present, replacing the ID at the end.

diagnose npu np6lite dce 0 /1

 

If there is no output it means there were no historical packet drops.

Do NOT use 'diagnose npu np6 dce-all 0' because this will show all the counters, which are mostly 0, and thus unnecessary in troubleshooting cases.

 

Additional diagnostic commands.

 

A good overview of ports used by NP:

 

diagnose npu np6 port-list

 

Checking the registers or packet queues - use only when needed more in-depth tshoot (when dce counters are not 0). Most times not necessary.

Note: For np6lite processors, replace the np6 in the commands below with np6lite:

 

diagnose npu np6 register 0 /1

             FGT # diag npu np6 register  <-- Running without a trailing 0 will show the available number of NPs in the unit.
             The following NP6 IDs are available:[0-1]

diagnose npu np6 pdq 0/1 <-- To be run multiple times consecutively.

diagnose npu np6 ipsec-stats
diagnose npu np6 dce 0/1
diagnose npu np6 hpe 0/1
diagnose npu np6 anomaly-drop 0/1
diagnose npu np6 hrx-drop 0/1
diagnose npu np6 session-stats 0/1
diagnose npu np6 sse-stats 0 /1
diagnose npu np6 sse-register 0/1
diagnose npu np6 pdq 0/1
diagnose npu np6 xgmac-stats 0/1
diagnose snmp ip frag

Related documents:

Technical Tip: Hardware Acceleration Processors (NP model according to FortiGate)

Hardware acceleration 

Troubleshooting Tip: NPU configuration commands (NP4, NP6, NP7)

Labels:
600
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.