FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
echia
Staff
Staff

Description

 

This article describes how to ensure that IPSec traffic is offloaded for improved throughput.

 

Many FortiGate platforms include a specially designed hardware component called an ASIC which is responsible for processing certain types of traffic. One of these ASICs is called the Network Processor, or NP.

On platforms that include an NP, IPsec traffic can be offloaded to the NP to greatly reduce load on the CPU, as well as dramatically increase potential throughput on the IPsec tunnel. Traffic is offloaded separately for each direction of flow through the tunnel, meaning that there are four possible states for offloading.

The following article includes 3 sections:
1) Questions to Ask (about offload capabilities).
2) Configuration to Check (to ensure offloading).
3) Diagnostic commands to Run (to confirm that offloading is occurring).

Solution

 

1) Questions to Ask.


Does the device offer an NP (Network Processor) for offloading VPN traffic?
If the device does have an NP processor, which version is it?
What Encryption/Decryption is supported by the NP processor for Offloading?

For more information on Hardware Acceleration and Hardware Acceleration Requirements, refer to this documentation:
http://docs.fortinet.com/d/fortigate-hardware-acceleration

 

Refer also to this KB link related to limitations on Hardware Acceleration when using certain interfaces types:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Interface-not-supported-by-NPU-Offload/ta-...

2) Configuration to Check.

Ensure that NPU offloading is enabled in the VPN phase1:


# config vpn ipsec phase1-interface
    edit phase-1-name
        set npu-offload enable
end

 

Ensure that the firewall policies created for the VPN tunnels have auto-ASIC offloading enabled:


# config firewall policy
    edit <policy_id>
        set auto-asic-offload enable
end

 

3) Diagnostics to run:

The following CLI Commands can be used to verify IPsec VPN traffic offloading to NP processors:

 

# diagnose vpn ipsec status


diagvpnIPSECstat2.png

 

# diagnose vpn tunnel list


npu_flag=03.bmp
npu_flag=00 Means that ingress & egress ESP packets are not offloaded.
npu_flag=01 Means only egress ESP packets can be offloaded, ingress ESP packets will be handled by the kernel.
npu_flag=02 Means only ingress ESP packets can be offloaded, and egress ESP packets will be handled by the kernel.
npu_flag=03 Means that both ingress & egress ESP packets will be offloaded.

If facing performance issues, first verify that the npu_flag=03.
If the flag is 00, 01, or 02, VPN traffic is NOT offloaded properly, and then verify if the NPU configuration is correct.