Hardware Acceleration (NPs) on FortiGate

Most FortiGate models have specialized acceleration hardware SPUs, CPs, SPs and NPs, each one has its own functionality and benefits to FortiGate, our focus will be on NPs.

Network processors (NPs) can offload network traffic to specialized hardware that is optimized to provide high levels of network throughput, sessions that are offloaded to NPU benefit from higher throughput compared to traffic that is not offloaded.

Have you wondered why connecting directly to a physical port on FortiGate helps in troubleshooting throughput issues sometimes? Not all type of interfaces support being offloaded to NPU.

By the end of this article, I'm hoping you will have an understanding on which interfaces and sessions are offloaded getting better throughtput as a result.

**************************************************************************

Part 1: Interfaces

The below interfaces do not support being offloaded to NPU:

• Loopback interface: it's a logical/software interface with no physical dependency.
• Software switches: virtual switch even though its interfaces act like hardware switch interfaces.
• PPPoE interfaces: handled by PPP software process and connections are terminated in virtual interfaces, that's why non-PPPoE interfaces might provide better throughput compared to PPPoE ones.

All of these have interfaces are either logical/software interfaces or terminated in virtual interfaces which won't be offloaded to NPs.

Approach: Use physical or VLAN interfaces that bind to fixed ports in order to ensure traffic is offloaded to NP.

**************************************************************************

Part 2: Architecture

I will make my example specific to FGT 200E which has NP6Lite, NP6lite works the same way as NP6 but is a lighter version

The NP6lites are connected to network interfaces as follows:

• NP6lite_0 is connected to six 1GE RJ-45 interfaces (port9-port14) and four 1GE SFP interfaces (port15-18).
• NP6lite_1 is connected to ten 1GE RJ45 interfaces (wan1, wan2, port1-port8).

Traffic will only be offloaded if it enters and exits the FortiGate on interfaces connected to the same NP6lite.

Approach: Understand your FortiGate NP architecture and design your network accordingly.

**************************************************************************

Part 3: Sessions

NP6Lite can offload the same sessions as NP6 but has its own limitations.

Approach: Ensure your sessions meet the criteria to be fast path ready by NP6, take NP6Lite limitations into consideration --> NP6 Session Fast Path Requirements

If your session doesn't support being offloaded then there's nothing much to do here.

**************************************************************************

Part 4: Verification

To check which sessions are offloaded to NPU go to FortiView > All Sessions, if your session is offloaded then you will see something similar to the below screenshot:

**************************************************************************

Your situation might differ depending on which NP your FortiGate has, so follow this approach when dealing with other NPs:

• Check the NP architecture.
• Check the NP Fast Path Requirements.
• Does your interface support being offloaded to NPU?
• Does your session support being offloaded to NPU?

Last but not least, covering all aspects of this topic in a single article is hard yet I hope what I covered was helpful for you.