Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Silver
New Contributor

Asic-Offload

Dear All,

Anyone can tell me what is mean by the command set auto-asic-offload disable. In which situation we can use this command and how it can impact a production environment if we are using this command.

 

Thanks

4 REPLIES 4
Paul_S
Contributor

Silver wrote:

Dear All,

Anyone can tell me what is mean by the command set auto-asic-offload disable. In which situation we can use this command and how it can impact a production environment if we are using this command.

 

Thanks

I am not an expert on this topic, but setting that value to disable would seem to tell your fortigate unit to use the main general purpose CPU for all processing instead of using the dedicated network processor ASIC. See the FortiOS Handbook 5.2 section titled "Network processors" for more info on that topic.

 

reasons to do this are not very many. I have seen at least one time where a bug or security vulnerability was identified and the workaround until a new firmware was released, was to disable use of the network processor.

 

The impact of disabling the NP is reduced performance.

FG200D 5.6.5 (HA) - primary [size="1"]FWF50B' s 4.3.x, FG60D's 5.2.x, FG60E's 5.4.x                   [Did my post help you? Please rate my post.][/size] FAZ-VM 5.6.5  |  Fortimail 5.3.11 Network+, Security+

dstgroup

I just got this question myself and got it answered from a Fortinet cookbook.

I just wanted to let anyone seeing this that the answer is wrong.

 

It's the other way around:


When auto-asic-offload is set to disable in the firewall policy, traffic is not offloaded and the NPU hosting counter is ticked.


So, it means that if we disable auto-asic-offload, traffic will always be processed at the NPU.

I hope it helps anyone.

 

ashukla_FTNT
Staff
Staff

One common reason is if you want to sniff the traffic (packet capture) or want to do flow debugging (for diagnostics)

When traffic offloaded to network processor diag sniffer or debug can't show the packets as debugging ans sniffing runs on kernel (in cpu).

 

Please note: Even with offload enable we will see the session creation (three way handshke) and session closure packets for tcp in sniff or debug as that is always handled by kernel.

For udp we will see the first packet of the session.

 

Other than above reason it is not recommended to disable asic offload as we will be forcing the traffic to use the cpu instead of utilizing the network processor.

 

Also whenever required for traffic debugging we should create a specific policy on top and disable offload in that policy so only the intended traffic goes to cpu. Once done with troubleshooting delete the poicy.

AndreaSoliva
Contributor III

Hi

 

this what is written here is true without going to much more details. What is not considered is following:

 

If a policy is NOT using any UTM Feature like application control, antivirus etc. it can be offloaded and for every policy new created the option regarding offloading is enabled. If you like to troubleshoot or whatever and you do not want to use the offloading feature you can of course disable the option on command line. What you also can do without going to command line is using a UTM feature on the policy which means as soon as you are doing this the offloading is not anymore used because the flow HAS TO GO TO THE CP processor and because of this offloading is not anymore used. This means also to disable offloading you can use a application conrol profile which does not block anything instead monitor anything known or unkonwn. As soon as you use this profile offloading is disabled. This only to be aware at WHICH POINT OFFLOADING is working or not meaning UTM FEATURE ACTIVE offloading DISABLED.

 

hope this helps

 

have fun

 

Andrea