NTurbo and IPSA are two hardware acceleration technologies that FortiGates can use to improve performance by offloading and accelerating flow-based UTM/NGFW content processing.
NTurbo offloading and acceleration
NTurbo improves FortiGate performance by offloading firewall sessions with flow-based security profiles to NP4 or NP6 network processors. Firewall sessions that include proxy-based security profiles or a mixture of flow-based and proxy-based security profiles are never offloaded to network processors and are always processed by the FortiGate CPU.
NTurbo creates a special data path to redirect traffic from the ingress interface to IPS, and from IPS to the egress interface. NTurbo allows firewall operations to be offloaded along this path, and still allows IPS to behave as a stage in the processing pipeline, reducing the workload on the FortiGate CPU and improving overall throughput.
If NTurbo is supported by your FortiGate unit, you can use the following command to configure it:
config ips global
set np-accel-mode {basic | none}
end
basic enables NTurbo and is the default setting for FortiGate models that support NTurbo. none disables NTurbo. If the np-accel-mode option is not available, then your FortiGate does not support NTurbo.
There are some special cases (listed below) where sessions may not be offloaded by NTurbo, even when NTurbo is explicitly enabled. In these cases the sessions are handled by the FortiGate CPU.
- NP acceleration is disabled. For example,
auto-asic-offloadis disabled in the firewall policy configuration. - The firewall policy includes proxy-based security profiles.
- The sessions require FortiOS session-helpers. For example, FTP sessions are not offloaded to NP processors because FTP sessions use the FTP session helper.
- Interface policies or DoS policies have been added to the ingress or egress interface.
- Tunneling is enabled. Any traffic to or from a tunneled interface (IPSec, IPinIP, SSL VPN, GRE, CAPWAP, etc.) cannot be offloaded by NTurbo.
IPSA offloading and acceleration
IPSA offloads and accelerates flow-based UTM/NGFW pattern matching to CP8 and CP9 content processors. IPSA is available for NTurbo and standard firewall sessions.
IPSA is supported by most FortiGate models. If your model supports IPSA, you can use the following command to configure it:
config ips global
set cp-accel-mode {advanced | basic | none}
end
basic offloads basic pattern matching.
advanced offloads more types of pattern matching resulting in higher throughput than basic mode. advanced is only available on FortiGate models with two or more CP8 processors or one or more CP9 processors.
If the cp-accel-mode option is not available, then your FortiGate does not support IPSA.
On FortiGates with one CP8, the default cp-accel-mode is basic. Setting the mode to advanced does not change the types of pattern matching that are offloaded.
On FortiGates with two or more CP8s or one or more CP9s the default cp-accel-mode is advanced. You can set the mode to basic to offload fewer types of pattern matching.
The post Offloading flow-based content inspection with NTurbo and IPSA appeared first on Fortinet Cookbook.