Hardware Acceleration on FortiGate Flashcards

1
Q

SPU

A

Security Processing Unit, Specialized Acceleration hardware or an application-specific integrated circuit (ASIC) can offload resource-intensive processing from the main processing unit (CPU) on FGT.

Can be a network processor (NP) or a content processor (CP), or both.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

NP

A

Works at the interface level
Accelerates traffic by offloading traffic from the CPU
Can encrypt and decrypt IPsec VPN
Performs IP integrity header check

Latest Version: NP7

FGT example: FGT 900G

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

CP

A

Focused on the application
Accelerates common resource-intensive security processes, such as application identification, IPS, and antivirus in flow-based mode
Can decrypt and encrypt for SSL deep inspection

Latest Version: CP9

Example: FGT 900G

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

SP

A

Includes light versions of NP and CP
For entry level and mid range FGT devices

Latest Version: SP5

Example: FGT 90G

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

How to Identify SPU information

A

The check the NP model available on FGT:
diagnose hardware lspci | grep la29

9b: 00.0 Class 1000: Device la29:NPID (la29 is the vendor ID for Fortinet)
If NPID is 4e36 = NP6
If NPID is 4e37 = NP7

To determine CP model available:
get hardware status

ASIC version: CP8

To confirm SP5 on Fortigate
get hardware status

ASIC version: SOC5

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

NP Direct Architecture

A

Available on FGT devices that have two or more NP6 processors like FGT 200E, 2000E, 2500E

Available on FGT devices that have ports X5 or X8 directly connected to the NP7 processor like FGT 400F, 600F, 900G

Hardware architecture that has a FortiASIC network processor directly connected to the interfaces, eliminating internal switch fabric (ISF).

Reduces forwarding latency

Physical topology must ensure that all traffic passes through the offloaded interfaces of one NP6/NP7 processor

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

NTurbo

A

Offloads traffic when flow security profiles are used in flow-based mode
-Usual NP offloading cannot be used with security profiles
-Anything that is handled by the IPS engine can use NTurbo
Creates a special data path to redirect traffic from the ingress interface to IPS
For a new session, the NTurbo driver sends packets to the IPS engine
-IPS engine processes the required security action
-IPS engine then sends the packet back to the NTurbo driver
NTurbo continues to send processed packets back to the NP
As a consequence, NTurbo improves IPS performance.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

NTurbo and IPSA

A

IPSA = IPS Acceleration

Configure NTurbo to disribute sessions with flow-based security profile to different IPS engine processes
Configure IPSA to offload pattern matching to CPs

config ips global
set np-accel-mode {none | basic} Basic is default
set cp-accel-mope {none | basic | advanced} Basic is default for devices with one CP8, Advanced is default to offload more pattern matching

Disable NTurbo on a firewall policy for testing purposes:
config firewall policy
edit <policy_id>
set no-acceleration {disable | enable} Enabled is default
end</policy_id>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Basic NP Offload Session Flow

A

FGT CPU always processes the first part of the traffic:
-TCP Traffic: The first three-way handshake
-UDP traffic: the first Packet
The CPU accelerates and offloads the rest of the traffic to the NP Processor
FIN and RST packets are handled by the CPU

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Life of a Packet - Initial Session

A

Network Interface(M) -> NP6/7[Access Control List (ACL) -> Host Protection Engine (HPE) -> IP integrity header checking(M) -> IPsec VPN decryption -> Kernel(M) -> UTM/NGFW [Flow -> Proxy -> Explicit Web Proxy -> Botnet Check] -> Kernel Forwarding -> Source NAT -> NP6/7[IPsec VPN encryption] -> Traffic Shaping -> Wan optimization -> Network interface(M)

(M) = Mandatory

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Life of a Packet - Offloaded Non-UTM session

A

Network Interface(M) -> NP6/7[IP integrity header checking(M) -> IPsec VPN decryption -> IPsec VPN encryption -> Traffic Shaping] -> Wan Optimization -> Network Interface(M)

(M) = Mandatory

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Life of a Packet - NTurbo/Flow-Based UTM sessions

A

Network Interface(M) -> NP6/7[IP integrity header checking(M) -> IPsec VPN decryption -> IPS ENGINE(CPU/CP8/9)[Flow-Based UTM/NGFDW(M) -> IPSA Single-pass rule matching(M)] -> IPsec VPN encryption -> Traffic Shaping] -> Wan Optimization -> Network Interface(M)

(M) = Mandatory

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Life of a Packet - Proxy-Based UTM sessions

A

Network Interface(M) -> NP6/7[ACL -> IP integrity header checking(M) -> IPsec VPN decryption -> IPS ENGINE(CPU/CP8/9)[Single-pass IPS, Application, Botnet, SSL inspection] -> ProxyVOIP inspection, DLP, Antispam, web filtering, antivirus -> IPsec VPN encryption -> Traffic Shaping -> Wan Optimization -> Network Interface(M)

(M) = Mandatory

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Configuring at Different OSI Model Layers

A

Physical Layer with inter-VDOM links
Data Link Layer with DVLAN and VXLAN
IP layer with IPsec
Application layer with traffic handled by IPS engines

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Configuring VDOM Link Acceleration

A

VDOM links interfaces associated with an NP processor are accelerated.
Naming convention: npu_vlink0 and npu_vlink1
Assign each VDOM link to offload traffic between two VDOMs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

VLAN over NPU VDOM link

A

VLANs allow you to create more accelerated inter-VDOM links since number of VDOM links per NP is limited

Network > Interfaces

config system interface
edit <name> -> Name of VDOM associated with the VLAN created over an NPU VLINK
set vdom <vdom>
...
set interface "npu0_vlink1" -> NPU VLINK associated with the configured VLAN
set vlanid 10 -> VLAN must be the same on both NPU VLINKs</vdom></name>

17
Q

VDOM Link Acceleration Validation

A

Confirm acceleration: diagnose sys session list
…offload=9/9 (Code 9 represents NP7)…

Configure the acceleration in a firewall policy
config firewall policy
edit 1
set auto-asic-offload enable(default) | disable

when acceleration is disabled in a firewall policy, it is confirmed in session list:
diagnose sys session list
npu_state=0x000001 no_offload
no_ofld_reason: disabled-by-policy

18
Q

DVLAN and VXLAN

A

NP7 offloads 802.1ad and 802.01Q double VLAN

To view current DVLAN mode setting:
diag npu np7 dvlan-mode-list
Device_name Dvlan_mode
np7_0 802.1AD
np7_1 802.1AD -> Default mode

to change DVLAN mode:
diag npu np7 dvlan-mode 802.1Q | 802.1AD <dev-id> -> can be defined per NP7 ID or for all</dev-id>

19
Q

IPsec Encryption and Decryption Offloading

A

You can offload IPsec encryption and decryption to hardware on some FGT models
Hardware offloading capabilities and supported algorithms vary by processor type and model
By default, offloading is enabled for supported algorithms
To manually disable:
config vpn ipsec phase1-interface
edit <tunnel_name>
set npu-offload enable | disable</tunnel_name>

20
Q

Session NPU-Flags

A

diagnose vpn tunnel list name Hub2Spoke1

npu_flag=** …

00 = Both IPsec SAs loaded to the Kernel
01 = Outbound IPsec SA copied to NPU
02 = Inbound IPsec SA copied to NPU
03 = Both inbound and outbound IPsec SA copied to NPU
20 = Unsupported cipher or HMAC, IPsec SA cannot be offloaded

21
Q

IPsec Diffie-Hellman Offloading

A

FGT accelerates the DH key exchange for IPsec ESP traffic

can disable ASIC offloading globally using the following command (especially for troubleshooting):
config system global
set ipsec-asic-offload disable -> Enabled is default
end

22
Q

Strict Header Checking

A

By default, FGT performs basic header checking with the NPs including:
L4 header length, IP header length, IP version, IP checksum, IP options

You configure strict header checking to add ESP packets checking including:
ESP sequence number, SPI, Data length

config system global
set check-protocol-header [loose(default) | strict]

Strict disables all NPs, CPs, and SPs

23
Q

Best Practices

A

Consider especially for entry-level models in enterprise network

FGT inspection modes has an impact on resources:
Flow-based - Default and offload possibilities, optimize performance
Proxy-based - Processed by FGT proxy or CPU, provides thorough inspection, supports advanced features like safe search

Encryptede traffic that requires SSL inspection can impact throughput:
SSL deep inspection can cause high CPU and memory usag
All traffic needs to decrypt, inspect and re-encrypt
Use hardware acceleration to offload SSL processing

NPs help offloading resource-intensive processing from main CPU:
Offload high volume of network traffic and firewall sessions that include flow based security profiles, but not proxy based

Firewall policy with mixes security profiles does not offload

There are some cases where sessions are not offloaded even if available:
NP acceleration is disabled on the policy
Firewall policy includes proxy based
Firewall session requires FortiOS session helpers
Tunnelling is enabled (except IPsec VPN sessions)