Description

This article describes how to know if traffic is being accelerated by a Network Processor (NP).

Scope

FortiGate, FortiOS, Network Processor, NP6, NP6xLite, NP7.

Solution

GUI Validation.

Access to Dashboard/ FortiView Sessions/ menu and select filter as needed (source, destination, service, etc.).
Once the filter is correctly configured and the desired traffic has been identified, validate the 'SPU' column If it is blank, the traffic is NOT being accelerated. If there is a letter, it indicates that the traffic is accelerated by NP.

To know what policy is being matched with that traffic, position the mouse over the title of the 'source' column, then select the engine icon and select Policy: Technical Tip: How to know which policy ID is used in FortiGate session table.

CLI Validation.

Use session filter for source, destination, proto, port, etc., and list sessions matched. More info about this command: Troubleshooting Tip: FortiGate session table information.

diagnose sys session filter src 10.20.30.1

diagnose sys session filter dst 20.7.2.167

diagnose sys session list

session info: proto=6 proto_state=01 duration=166 expire=3433 timeout=3600 flags=00000000 socktype=0 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ tun_id=0.0.0.0/200.94.81.85 vlan_cos=0/255
state=log may_dirty npu f00
statistic(bytes/packets/allow_err): org=92/2/1 reply=1474/2/1 tuples=2
tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 0/0
orgin->sink: org pre->post, reply pre->post dev=38->7/7->38 gwy=192.168.1.254/10.20.30.1
hook=post dir=org act=snat 10.20.30.1:62685->20.7.2.167:443(192.168.1.100:62685)
hook=pre dir=reply act=dnat 20.7.2.167:443->192.168.1.100:62685(10.20.30.1:62685)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=26 pol_uuid_idx=710 auth_info=0 chk_client_info=0 vd=0
serial=000004d3 tos=ff/ff app_list=0 app=0 url_cat=0
rpdb_link_id=80000000 ngfwid=n/a
npu_state=0x2000c00 ofld-O ofld-R
npu info: flag=0x81/0x82, offload=8/8, ips_offload=0/0, epid=65/249, ipid=65/65, vlan=0x0000/0x0000
vlifid=249/65, vtag_in=0x0001/0x0000 in_npu=1/1, out_npu=1/1, fwd_en=0/0, qid=3/1

session info: proto=1 proto_state=00 duration=3 expire=57 timeout=0 flags=00000000 socktype=0 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ tun_id=0.0.0.0/200.94.81.85 vlan_cos=0/255
state=log may_dirty npu f00
statistic(bytes/packets/allow_err): org=120/2/1 reply=120/2/1 tuples=2
tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 0/0
orgin->sink: org pre->post, reply pre->post dev=38->7/7->38 gwy=192.168.1.254/10.20.30.1
hook=post dir=org act=snat 10.20.30.1:1->20.7.2.167:8(192.168.1.100:60418)
hook=pre dir=reply act=dnat 20.7.2.167:60418->192.168.1.100:0(10.20.30.1:1)
misc=0 policy_id=26 pol_uuid_idx=710 auth_info=0 chk_client_info=0 vd=0
serial=00000834 tos=ff/ff app_list=0 app=0 url_cat=0
rpdb_link_id=80000000 ngfwid=n/a
npu_state=0x2000c00 ofld-O ofld-R
npu info: flag=0x81/0x82, offload=8/8, ips_offload=0/0, epid=65/249, ipid=65/65, vlan=0x0000/0x0000
vlifid=249/65, vtag_in=0x0001/0x0000 in_npu=1/1, out_npu=1/1, fwd_en=0/0, qid=0/2
total session 2

These two example sessions are being accelerated by NP. More information about the acceleration flags: Troubleshooting Tip: NPU Info Flag Field in FortiOS Sessions.

Important Note:

If traffic is being accelerated by NP, the FortiGate sniffer will not show a trace for 'debug flow' or 'diagnose sniffer'. When this is required for troubleshooting it is necessary to disable offloading on the policy matching the interesting traffic.

Example:

config firewall policy

    edit <policy ID>

        set auto-asic-offload disable

end