Helpful ReplyHot!FG 60D and SPU/NPU offload

Author
mzachar
New Member
  • Total Posts : 7
  • Scores: 2
  • Reward points: 0
  • Joined: 2019/04/21 11:56:12
  • Status: offline
2019/10/31 06:55:05 (permalink)
0

FG 60D and SPU/NPU offload

Hello Experts,
 
I am a user of FGT60D which is deployed in proxy-mode as firewall only. No UTM services.
I have not configured anything under Security Profiles
 
Recently, after upgrading my ISP bandwidth from 120Mbps to 500Mbps I have noticed my FG is now a bottleneck.
When I check Sessions widget in Dashboard I can see number of session and SPU 0.0%.
Executing diagnose sys session list command I can see that none of the sessions if offloaded to SPU/NPU with lots of reasons like
no_ofld_reason:  local
no_ofld_reason:  non-npu-intf
 
 
When I connect directly to FG on DMZ port I get 100% of bandwidth.
When I connect directly to FG on Port1 which is a trunk (native vlan + a few tagged vlans; FG is DHCP server), I get 35% of bandwidth does not matter in which vlan.
 
My question is following:
FG60D has NP4Lite NPU which should allow to offload most of firewall processing from CPU to NPU. I have never deactivated it, what should I do to take advantage of NPU offloading?
 
 
#1
mzachar
New Member
  • Total Posts : 7
  • Scores: 2
  • Reward points: 0
  • Joined: 2019/04/21 11:56:12
  • Status: offline
Re: FG 60D and SPU/NPU offload 2019/10/31 08:14:22 (permalink) ☄ Helpfulby monogrant 2019/12/09 14:18:27
5 (1)
UPDATE:
 
Ok, I have gathered some more info on this topic.
Apparently, there can be two possible causes of my traffic not being accelerated in hardware.
 
1st. I use software switch to have set of vlans spanned on more than one hardware interface.
 
2nd.I use proxy-mode inspection. But this one is unclear to me, because although I use proxy mode I do not think I use any proxy-based security profiles. “Firewall sessions that include proxy-based security profiles or a mixture of flow-based and proxy-based security profiles are never offloaded to network processors and are always processed by the FortiGate CPU.” after Cookbook. As I wrote before, I did not configure anything under Security Profiles if this a place mentioned in the quote.
#2
mzachar
New Member
  • Total Posts : 7
  • Scores: 2
  • Reward points: 0
  • Joined: 2019/04/21 11:56:12
  • Status: offline
Re: FG 60D and SPU/NPU offload 2019/10/31 14:27:21 (permalink)
0
SOLVED
So it seems you need to use hardware switch to be able to take advantage of hardware acceleration. Software switch is CPU intensive and won't offload traffic to NPU/SPU hw acceleration. Now SPU usage is visible in Dashboard sessions widget and full bandwidth is available.
 
Did not have to change inspection mode to flow-based from current proxy as I am not using any proxy security profiles.
#3
ede_pfau
Expert Member
  • Total Posts : 6354
  • Scores: 537
  • Reward points: 0
  • Joined: 2004/03/09 01:20:18
  • Location: Heidelberg, Germany
  • Status: offline
Re: FG 60D and SPU/NPU offload 2019/11/01 02:00:16 (permalink)
0
hi,
 
thanks again for sharing and solving it yourself. In fact, use of a software switch has long been known to put a lot of load onto the CPU. Fortunately, from midrange on FGTs often include a switch chip (ISF) so it's not that common.
Of course, there are exceptions: the 200E doesn't have a switch chip, but the 60E does...

Ede

" Kernel panic: Aiee, killing interrupt handler!"
#4
Jump to:
© 2020 APG vNext Commercial Version 5.5