Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
shahrukh_khan
Staff
Staff

Created on ‎02-25-2025 04:32 AM

Article Id 378731

Troubleshooting Tip: Session stop offloading to NPU after upgrading the firmware version to v7.4.3 When using WebFilter on a Flow-based policy

Description This article discusses the reasons and resolutions for a specific session not being offloaded to NPU after upgrading the firmware version to v7.4.3.
Scope FortiGate v7.4.3.
Solution
  • When enabling WebFilter on a Flow-based policy many websites do not open.
  • If changing to Proxy-based it works.

If the issue is observed after upgrading the firmware version to v7.4.3 then it could be matched with BUG ID 1024576.

 

This behavior could be verified with debugs:

 

Firewall-EHTP # id=65308 trace_id=257 func=print_pkt_detail line=5886 msg="vd-root:0 received a packet(proto=6, 192.16
8.4.116:53937->63.137.229.1:443) tun_id=0.0.0.0 from internal. flag [S], seq 2978376094, ack 0, win 65340"
id=65308 trace_id=256 func=init_ip_session_common line=6063 msg="allocate a new session-0005cf08"
id=65308 trace_id=256 func=iprope_dnat_check line=5475 msg="in-[internal], out-[]"
id=65308 trace_id=256 func=vf_ip_route_input_common line=2613 msg="find a route: flag=04000000 gw-10.185.0.1 via ppp2"
id=65308 trace_id=256 func=__iprope_fwd_check line=810 msg="in-[internal], out-[ppp2], skb_flags-02000000, vid-0, app_id: 0, url_cat_id: 0"
id=65308 trace_id=256 func=__iprope_check_one_policy line=2366 msg="policy-9 is matched, act-accept"
id=65308 trace_id=257 func=get_new_addr line=1269 msg="find SNAT: IP-49.205.197.194(from IPPOOL), port-53937"
id=65308 trace_id=256 func=__iprope_check_one_policy line=2366 msg="policy-20 is matched, act-accept"
id=65308 trace_id=257 func=iprope_shaping_check line=973 msg="in-[internal], out-[ppp2], skb_flags-02000000, vid-0"
id=65308 trace_id=256 func=fw_forward_handler line=991 msg="Allowed by Policy-20: SNAT"
id=65308 trace_id=257 func=ids_receive line=464 msg="send to ips"

id=65308 trace_id=259 func=print_pkt_detail line=5886 msg="vd-root:0 received a packet(proto=6, 192.168.4.116:53936->6
3.137.229.1:443) tun_id=0.0.0.0 from internal. flag [.], seq 1856218609, ack 3809336800, win 1026"
id=65308 trace_id=259 func=resolve_ip_tuple_fast line=5969 msg="Find an existing session, id-0005cf08, original direction"
id=65308 trace_id=259 func=npu_handle_session44 line=1226 msg="Trying to offloading session from internal to ppp2, skb
.npu_flag=00000400 ses.state=18042200 ses.npu_state=0x00041108"
id=65308 trace_id=259 func=fw_forward_dirty_handler line=442 msg="state=18042200, state2=00000000, npu_state=00041108"
id=65308 trace_id=259 func=ids_receive line=464 msg="send to ips"

 

As a workaround, enable Proxy-based in the rule |or| disable 'TLS 1.3 hybridized Kyber support' under the browser and Change the tcp-mss for sender and receiver to a value less or equal to 1450 for firewall policies.: Troubleshooting Tip: Web pages not loading or taking too long to load when a web filter is applied

 

This issue is resolved in 'IPSE 7.4.4:0541, IPSE 7.6.0:1012'.
138
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.