Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Holiday badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
- Fortinet Community
- Knowledge Base
- FortiGate
- Troubleshooting Tip: NPU configuration commands (N...
Options
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
cborgato_FTNT
Staff
Created on
10-16-2014
09:34 AM
Edited on
08-21-2024
12:39 AM
By
Jean-Philippe_P
Article Id
194652
Description
This article describes some of the NPU diagnostics options for models with NP4 or NP6 network processors.
NP6 also has configurable options that therefore remain after a reboot (unlike most diagnostic options).
NP6 also has configurable options that therefore remain after a reboot (unlike most diagnostic options).
Scope
FortiGate with NP processors (See the model list here: Technical Tip: Hardware Acceleration Processors).
Solution
The following output is for FortiOS versions (6.4-7.4). Additional options implemented:
FortiGate # diag npu np6
fastpath Configure fastpath
monitor-hpe Monitor HPE setting and host queue status counters without packet dropping.
hpe Show HPE setting and host queue status counters.
dce Show non-zero subengine drop counters.
dce-all Show all subengine drop counters.
anomaly-drop Show non-zero L3/L4 anomaly check drop counters.
anomaly-drop-all Show all L3/L4 anomaly check drop counters.
hrx-drop Show non-zero host interface drop counters.
hrx-drop-all Show all host interface drop counters.
session-stats Show session offloading statistics counters
session-stats-clear Clear sesssion offloading statistics counters
sse-stats Show hardware session statistics counters
sse-stats-clear Clear hardware session statistics counters
sse-latch-debug Latch SSE debug
sse-register Show NP6 SSE registers
pdq Show packet buffer queue counters
xgmac-stats Show XGMAC MIBs counters
xgmac-stats-clear Clear XGMAC MIBS counters
hardware-cap Show hardware capability defintions
port-list Show port list
portmod Show port group info.
ipsec-stats Show IPsec offloading statistics
ipsec-stats-clear Clear IPsec offloading statistics
eeprom-read Read NP6 EEPROM
npu-feature Show NPU feature and status
register Show NP6 registers
synproxy-stats Show synproxy statistics.
sse-purge-drift Clean up idle sessions in SSE.
sse-drift-summary Show SSE session drift summary.
cwp-frame-chk-act Set CAPWAP frame check actions. [Take 0-3 arg(s)]
show-cwp-undersize-act Show CAPWAP undersize frame check actions.
hbq-stats Show NP6 HBQ stats
hbq-stats-clear Clear NP6 HBQ stats
fastpath Configure fastpath
monitor-hpe Monitor HPE setting and host queue status counters without packet dropping.
hpe Show HPE setting and host queue status counters.
dce Show non-zero subengine drop counters.
dce-all Show all subengine drop counters.
anomaly-drop Show non-zero L3/L4 anomaly check drop counters.
anomaly-drop-all Show all L3/L4 anomaly check drop counters.
hrx-drop Show non-zero host interface drop counters.
hrx-drop-all Show all host interface drop counters.
session-stats Show session offloading statistics counters
session-stats-clear Clear sesssion offloading statistics counters
sse-stats Show hardware session statistics counters
sse-stats-clear Clear hardware session statistics counters
sse-latch-debug Latch SSE debug
sse-register Show NP6 SSE registers
pdq Show packet buffer queue counters
xgmac-stats Show XGMAC MIBs counters
xgmac-stats-clear Clear XGMAC MIBS counters
hardware-cap Show hardware capability defintions
port-list Show port list
portmod Show port group info.
ipsec-stats Show IPsec offloading statistics
ipsec-stats-clear Clear IPsec offloading statistics
eeprom-read Read NP6 EEPROM
npu-feature Show NPU feature and status
register Show NP6 registers
synproxy-stats Show synproxy statistics.
sse-purge-drift Clean up idle sessions in SSE.
sse-drift-summary Show SSE session drift summary.
cwp-frame-chk-act Set CAPWAP frame check actions. [Take 0-3 arg(s)]
show-cwp-undersize-act Show CAPWAP undersize frame check actions.
hbq-stats Show NP6 HBQ stats
hbq-stats-clear Clear NP6 HBQ stats
FGT (global) # diag npu np7
info Show chip information.
cgmac-stats Show/clear CGMAC MIBs counters. [Take 0-2 arg(s)]
dce-drop-all Show/clear all drop counters. [Take 0-2 arg(s)]
dce-eif-drop Show/clear EIF IHP drop counters. [Take 0-2 arg(s)]
dce-htx-drop Show/clear HTX IHP drop counters. [Take 0-2 arg(s)]
dce-ipti-drop Show/clear IPTI IHP drop counters. [Take 0-2 arg(s)]
dce-l2ti-drop Show/clear L2TI IHP drop counters. [Take 0-2 arg(s)]
dce-dfr-drop Show/clear DFR IHP drop counters. [Take 0-2 arg(s)]
dce-xhp-drop Show/clear XHP IHP drop counters. [Take 0-2 arg(s)]
dce-l2p-drop Show/clear L2P IHP drop counters. [Take 0-2 arg(s)]
dce-hif-drop Show/clear HIF drop counters. [Take 0-2 arg(s)]
dce-sse-drop Show/clear SSE drop counters. [Take 0-2 arg(s)]
dce-ipsec-drop Show/clear IPSec drop counters. [Take 0-2 arg(s)]
dsw-drop-all Show/clear DSW drop counters. [Take 0-2 arg(s)]
dsw-drop-by-src Show/clear DSW drop counters by source modules. [Take 0-2 arg(s)]
dsw-drop-by-dst Show/clear DSW drop counters by destination modules. [Take 0-2 arg(s)]
dsw-ingress-stats Show/clear DSW ingress counters. [Take 0-2 arg(s)]
dsw-egress-stats Show/clear DSW egress counters. [Take 0-2 arg(s)]
hif-stats Show/clear host queue counters. [Take 0-2 arg(s)]
mas Show DDR memory access module (MAS) information. [Take 0-1 arg(s)]
msgq Show message queue configurations. [Take 0-1 arg(s)]
np-port Show NP port status.
pdq Show packet descriptor queue counters. [Take 0-2 arg(s)]
pba Show packet buffer counters. [Take 0-1 arg(s)]
pmon Show engine performance monitor counters. [Take 0-2 arg(s)]
port-list Show port list.
phy-status Show PHY status.
sse-stats Show session search engine counters. [Take 0-1 arg(s)]
session-offload-stats Show/Clear session offload error counters. [Take 0-2 arg(s)]
system-config Show system level driver configurations.
sw-np-que Show the queue counters on those switch ports which connected to the current NP [Take 0-1 arg(s)]
dvlan-mode-list list DVLAN mode info
cmd Command counters
msg Message counters
mswm Message Switch Module
getreg Read NP7 registers. [Take 0-3 arg(s)]
setreg Write NP7 registers. [Take 0-3 arg(s)]
listreg List NP7 registers. [Take 0-2 arg(s)]
listtbl List NP7 configuration tables. [Take 0-1 arg(s)]
readtbl Read NP7 configuration table. [Take 0-4 arg(s)]
init-params Show driver initialization parameters.
show-dsw-dts-profile Show NP7 dsw dts profile table. [Take 0-4 arg(s)]
show-dsw-qtbl Read NP7 configuration table. [Take 0-4 arg(s)]
vep-mode Set VEP mode. [Take 0-1 arg(s)]
intf-clear-stats Clear interface statistics counters. [Take 0-1 arg(s)]
intf-clear-err Clear interface error counters. [Take 0-1 arg(s)]
dvlan-mode Set DVLAN mode.
hpe Show np7 hpe host queue packet type shaper status. [Take 0-2 arg(s)]
monitor-hpe Monitor HPE setting and host queue status counters without packet dropping.
ipl ipl cmds [Take 0-20 arg(s)]
info Show chip information.
cgmac-stats Show/clear CGMAC MIBs counters. [Take 0-2 arg(s)]
dce-drop-all Show/clear all drop counters. [Take 0-2 arg(s)]
dce-eif-drop Show/clear EIF IHP drop counters. [Take 0-2 arg(s)]
dce-htx-drop Show/clear HTX IHP drop counters. [Take 0-2 arg(s)]
dce-ipti-drop Show/clear IPTI IHP drop counters. [Take 0-2 arg(s)]
dce-l2ti-drop Show/clear L2TI IHP drop counters. [Take 0-2 arg(s)]
dce-dfr-drop Show/clear DFR IHP drop counters. [Take 0-2 arg(s)]
dce-xhp-drop Show/clear XHP IHP drop counters. [Take 0-2 arg(s)]
dce-l2p-drop Show/clear L2P IHP drop counters. [Take 0-2 arg(s)]
dce-hif-drop Show/clear HIF drop counters. [Take 0-2 arg(s)]
dce-sse-drop Show/clear SSE drop counters. [Take 0-2 arg(s)]
dce-ipsec-drop Show/clear IPSec drop counters. [Take 0-2 arg(s)]
dsw-drop-all Show/clear DSW drop counters. [Take 0-2 arg(s)]
dsw-drop-by-src Show/clear DSW drop counters by source modules. [Take 0-2 arg(s)]
dsw-drop-by-dst Show/clear DSW drop counters by destination modules. [Take 0-2 arg(s)]
dsw-ingress-stats Show/clear DSW ingress counters. [Take 0-2 arg(s)]
dsw-egress-stats Show/clear DSW egress counters. [Take 0-2 arg(s)]
hif-stats Show/clear host queue counters. [Take 0-2 arg(s)]
mas Show DDR memory access module (MAS) information. [Take 0-1 arg(s)]
msgq Show message queue configurations. [Take 0-1 arg(s)]
np-port Show NP port status.
pdq Show packet descriptor queue counters. [Take 0-2 arg(s)]
pba Show packet buffer counters. [Take 0-1 arg(s)]
pmon Show engine performance monitor counters. [Take 0-2 arg(s)]
port-list Show port list.
phy-status Show PHY status.
sse-stats Show session search engine counters. [Take 0-1 arg(s)]
session-offload-stats Show/Clear session offload error counters. [Take 0-2 arg(s)]
system-config Show system level driver configurations.
sw-np-que Show the queue counters on those switch ports which connected to the current NP [Take 0-1 arg(s)]
dvlan-mode-list list DVLAN mode info
cmd Command counters
msg Message counters
mswm Message Switch Module
getreg Read NP7 registers. [Take 0-3 arg(s)]
setreg Write NP7 registers. [Take 0-3 arg(s)]
listreg List NP7 registers. [Take 0-2 arg(s)]
listtbl List NP7 configuration tables. [Take 0-1 arg(s)]
readtbl Read NP7 configuration table. [Take 0-4 arg(s)]
init-params Show driver initialization parameters.
show-dsw-dts-profile Show NP7 dsw dts profile table. [Take 0-4 arg(s)]
show-dsw-qtbl Read NP7 configuration table. [Take 0-4 arg(s)]
vep-mode Set VEP mode. [Take 0-1 arg(s)]
intf-clear-stats Clear interface statistics counters. [Take 0-1 arg(s)]
intf-clear-err Clear interface error counters. [Take 0-1 arg(s)]
dvlan-mode Set DVLAN mode.
hpe Show np7 hpe host queue packet type shaper status. [Take 0-2 arg(s)]
monitor-hpe Monitor HPE setting and host queue status counters without packet dropping.
ipl ipl cmds [Take 0-20 arg(s)]
NP7 config:
FGT (global) # config system npu
FGT (npu) # set
dedicated-management-cpu Enable to dedicate one CPU for GUI and CLI connections when NPs are busy.
ipsec-ob-np-sel IPsec NP selection for OB SA offloading.
npu-group-effective-scope npu-group-effective-scope defines under which npu-group cmds such as list/purge will be excecuted. Default scope is for all four HS-ok groups. (0-3, default = 255).
policy-offload-level Configure firewall policy offload level.
napi-break-interval NAPI break interval (default 0).
capwap-offload Enable/disable offloading managed FortiAP and FortiLink CAPWAP sessions.
default-qos-type Set default QoS type.
shaping-stats Enable/disable NP7 traffic shaping statistics (default = disable).
gtp-support Enable/Disable NP7 GTP support
per-session-accounting Set per-session accounting.
session-acct-interval Session accounting update interval (1 - 10 sec, default 5 sec).
per-policy-accounting Set per-policy accounting.
max-session-timeout Maximum time interval for refreshing NPU-offloaded sessions (10 - 1000 sec, default 40 sec).
hash-tbl-spread Enable/disable hash table entry spread (default enabled).
vlan-lookup-cache Enable/disable vlan lookup cache (default enabled).
ip-fragment-offload Enable/disable NP7 NPU IP fragment offload.
htx-icmp-csum-chk Set HTX icmp csum checking mode.
htab-msg-queue Set hash table message queue mode.
htab-dedi-queue-nr Set the number of dedicate queue for hash table messages.
qos-mode QoS mode on switch and NP.
inbound-dscp-copy-port Physical interfaces that support inbound-dscp-copy.
double-level-mcast-offload Enable double level mcast offload.
qtm-buf-mode QTM channel configuration for packet buffer.
The following output is for older versions.
FortiOS 5.0:
NP4 options:
FGT # diagnose npu np4
list Display all NP4 devices
fastpath Configure fastpath
load-balance Configure load balance
stats View NP4 device stats
register View NP4 registers
pdq View NP4 queue stats
dce View NP4 drop table
dce-reset Clear NP4 drop table
flowtrace Configure NP4 flow trace
eeprom-read Read NP4 EEPROM
elbc-bind Bind ELBC interface to VLAN
FGT # diagnose npu np6
anomaly-drop Show non-zero L3/L4 anomaly check drop counters.
anomaly-drop-all Show all L3/L4 anomaly check drop counters.
dce Show non-zero subengine drop counters.
dce-all Show all subengine drop counters.
debug-console Access debug console
eeprom-read Read NP6 EEPROM
fastpath Configure fastpath
hrx-drop Show non-zero host interface drop counters.
hrx-drop-all Show all host interface drop counters.
ipsec-stats Show IPsec offloading statistics
ipsec-stats-clear Clear IPsec offloading statistics
npu-feature Show NPU feature and status
pdq Show packet buffer queue counters
phy-debug Enable/disable PHY debug
port-list Show port list
register Show NP6 registers
session-stats Show session offloading statistics counters
session-stats-clear Clear sesssion offloading statistics counters
sse-stats Show hardware session statistics counters
sse-stats-clear Show hardware session statistics counters
xgmac-stats Show XGMAC MIBs counters
xgmac-stats-clear Clear XGMAC MIBS counters
Moreover there is a specific NP6 system configuration:
FGT # config system np6
FGT (np6) # edit np6_0
FGT (np6_0) # get
name : np6_0
fastpath : enable
low-latency-mode : disable
per-session-accounting: disable
garbage-session-collector: disable
session-collector-interval: 8
session-timeout-interval: 40
session-timeout-random-range: 8
session-timeout-fixed: disable
fp-anomaly-v4:
tcp-syn-fin : allow
tcp-fin-noack : trap-to-host
tcp-fin-only : trap-to-host
tcp-no-flag : allow
tcp-syn-data : allow
tcp-winnuke : trap-to-host
tcp-land : trap-to-host
udp-land : trap-to-host
icmp-land : trap-to-host
icmp-frag : allow
ipv4-land : trap-to-host
ipv4-proto-err : trap-to-host
ipv4-unknopt : trap-to-host
ipv4-optrr : trap-to-host
ipv4-optssrr : trap-to-host
ipv4-optlsrr : trap-to-host
ipv4-optstream : trap-to-host
ipv4-optsecurity : trap-to-host
ipv4-opttimestamp : trap-to-host
fp-anomaly-v6:
ipv6-land : trap-to-host
ipv6-proto-err : trap-to-host
ipv6-unknopt : trap-to-host
ipv6-saddr-err : trap-to-host
ipv6-daddr-err : trap-to-host
ipv6-optralert : trap-to-host
ipv6-optjumbo : trap-to-host
ipv6-opttunnel : trap-to-host
ipv6-opthomeaddr : trap-to-host
ipv6-optnsap : trap-to-host
ipv6-optendpid : trap-to-host
ipv6-optinvld : trap-to-host
The following output is for FortiOS 5.2.2:
fw1 # diag npu np6
fastpath Configure fastpath
dce Show non-zero subengine drop counters.
dce-all Show all subengine drop counters.
anomaly-drop Show non-zero L3/L4 anomaly check drop counters.
anomaly-drop-all Show all L3/L4 anomaly check drop counters.
hrx-drop Show non-zero host interface drop counters.
hrx-drop-all Show all host interface drop counters.
session-stats Show session offloading statistics counters
session-stats-clear Clear sesssion offloading statistics counters
sse-stats Show hardware session statistics counters
sse-stats-clear Show hardware session statistics counters
pdq Show packet buffer queue counters
xgmac-stats Show XGMAC MIBs counters
xgmac-stats-clear Clear XGMAC MIBS counters
gmac-stats Show GMAC MIBs counters
gmac-stats-clear Clear GMAC MIBS counters
gige-port-stats Show GIGE PORT MIBs counters
gige-port-stats-clear Clear GIGE PORT MIBs counters
port-list Show port list
ipsec-stats Show IPsec offloading statistics
ipsec-stats-clear Clear IPsec offloading statistics
eeprom-read Read NP6 EEPROM
npu-feature Show NPU feature and status
register Show NP6 registers
debug general debug
fw1 # config system np6
fw1 (np6) # edit
name Device Name.
np6_0
np6_1
fw1 (np6) # edit np6_0
fw1 (np6_0) # set
fastpath Enable/disable fast path.
per-session-accounting Per-session accounting.
garbage-session-collector Garbage session collector.
session-collector-interval Garbage session collection clean-up interval(1 - 100 sec, default 64).
session-timeout-interval NPU session timeout interval(0 - 1000 sec, default 40).
session-timeout-random-range NPU session timeout randomization range(0 - 1000 sec, default 8).
session-timeout-fixed NPU session timeout at fixed intervals.
Labels:
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.