Offloading flow-based content inspection with NTurbo and IPSA

Facebooktwittergoogle_plusredditpinterestlinkedinFacebooktwittergoogle_plusredditpinterestlinkedin

NTurbo and IPSA are two hardware acceleration technologies that FortiGates can use to improve performance by offloading and accelerating flow-based UTM/NGFW content processing.

NTurbo offloading and acceleration

NTurbo improves FortiGate performance by offloading firewall sessions with flow-based security profiles to NP4 or NP6 network processors. Firewall sessions that include proxy-based security profiles or a mixture of flow-based and proxy-based security profiles are never offloaded to network processors and are always processed by the FortiGate CPU.

NTurbo creates a special data path to redirect traffic from the ingress interface to IPS, and from IPS to the egress interface. NTurbo allows firewall operations to be offloaded along this path, and still allows IPS to behave as a stage in the processing pipeline, reducing the workload on the FortiGate CPU and improving overall throughput.

If NTurbo is supported by your FortiGate unit, you can use the following command to configure it:

config ips global
  set np-accel-mode {basic | none}
end

basic enables NTurbo and is the default setting for FortiGate models that support NTurbo. none disables NTurbo. If the np-accel-mode option is not available, then your FortiGate does not support NTurbo.

There are some special cases (listed below) where sessions may not be offloaded by NTurbo, even when NTurbo is explicitly enabled. In these cases the sessions are handled by the FortiGate CPU.

  • NP acceleration is disabled. For example, auto-asic-offload is disabled in the firewall policy configuration.
  • The firewall policy includes proxy-based security profiles.
  • The sessions require FortiOS session-helpers. For example, FTP sessions are not offloaded to NP processors because FTP sessions use the FTP session helper.
  • Interface policies or DoS policies have been added to the ingress or egress interface.
  • Tunneling is enabled. Any traffic to or from a tunneled interface (IPSec, IPinIP, SSL VPN, GRE, CAPWAP, etc.) cannot be offloaded by NTurbo.

IPSA offloading and acceleration

IPSA offloads and accelerates flow-based UTM/NGFW pattern matching to CP8 and CP9 content processors. IPSA is available for NTurbo and standard firewall sessions.

IPSA is supported by most FortiGate models. If your model supports IPSA, you can use the following command to configure it:

config ips global
  set cp-accel-mode {advanced | basic | none}
end

basic offloads basic pattern matching.

advanced offloads more types of pattern matching resulting in higher throughput than basic mode. advanced is only available on FortiGate models with two or more CP8 processors or one or more CP9 processors.

If the cp-accel-mode option is not available, then your FortiGate does not support IPSA.

On FortiGates with one CP8, the default cp-accel-mode is basic. Setting the mode to advanced does not change the types of pattern matching that are offloaded.

On FortiGates with two or more CP8s or one or more CP9s the default cp-accel-mode is advanced. You can set the mode to basic to offload fewer types of pattern matching.

Bill Dickie

Our Fearless Documentation Leader at Fortinet
After completing a science degree at the University of Waterloo, Bill began his professional life teaching college chemistry in Corner Brook, Newfoundland and fell into technical writing after moving to Ottawa in the mid '80s. Tech writing stints at all sorts of companies finally led to joining Fortinet to write the first FortiGate-300 Administration Guide.
  • Was this helpful?
  • Yes   No