Created on
09-03-2024
07:59 AM
Edited on
09-17-2025
02:29 AM
By
Jean-Philippe_P
Description | This article describes the main points of concern when troubleshooting offloading/performance issues on NP7 devices. |
Scope | FortiGate, FortiOS, NP7. |
Solution |
When it is needed to investigate offloading the goal should be to reply to 3 main questions:
FortiOS offers a complete set of commands to investigate and analyze the above possible issues.
To check drops in NP, the administrator can run the following command:
diagnose npu np7 dce-drop-all <all | np7 id> <verbosity**> **{0|b|brief}: Show non-zero counters, {1|v|verbose}: Show all the counters, {2|c|clear}: Clear counters
diagnose npu np7 dce-drop-all 0 1 [NP7_0] Counter EIF_0 EIF_1 EIF_2 EIF_3 EIF_4 EIF_5 EIF_6 EIF_7 Total [NP7_0] [NP7_0] [NP7_0] [NP7_0]
This command can be very verbose, but it contains for each NP7 module and sub-engine stats about anomalies and drops. The idea is to loop this command over time and check which counter is constantly increasing so that the focus can be moved to a specific part of the NP7 processor, and eventually, a ticket can be raised to Fortinet Support.
Additional commands to check drop statistics for the NP7 chip:
diagnose npu np7 dce <np7_id> <----- Shows non-zero sub-engine drop counters.
NP7 is connected to the ISF through 2x CGMAC interfaces, each of which is 100Gbps for a total of 200Gbps.
With the command: diagnose npu np7 cgmac-stats <all | np7 id> <verbosity**>, it is possible to check how many packets and throughput are received and transmitted by each NP7 processor. diagnose npu np7 cgmac-stats 0 0 [NP7_0]
In addition to each RX_TX rate metric to see the actual CGMAC bandwidth, there is also the GC_FULL counter, which increases when there is congestion at the CGMAC level.
With the following command, it is also possible to check the usage in percentage for every NP7 module:
diagnose npu np7 pmon 0 0 [NP7_0]
Each packet reaching the NP7 processor is stored on an allocated buffer, and it is freed when the packet is processed and leaves the FortiGate (buffers used to store packets are limited). It might happen under specific conditions that buffers are not freed when packets are processed, which is called a PBA leak (PBA: packet buffer allocator).
The command: diagnose npu np7 pba 0, compares a normal usage of buffers with the current usage and shows the delta.
diagnose npu np7 pba all [NP7_0]
Notes: '!!! Leak !!!' is printed every time one of the deltas is greater than 1. Having a positive value displayed is normal when traffic is being processed by the NP7; an administrator should be concerned when the delta value is high and constantly increasing over time, as it means that the buffers are not being released correctly.
For devices with an np7lite processor, the troubleshooting commands can be used but should be adjusted; the 'np7' should be replaced with 'np7lite', for example, 'diagnose npu np7lite dce-drop-all 0'.
Related documents: Troubleshooting Tip: NPU configuration commands (NP4, NP6, NP7) Troubleshooting Tip: Understanding the FortiGate NP7 drop types |
Very useful. Thank you for this.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.