FortiGate-ASM-FB4 accelerated network processing
FortiGate-ASM-FB4 Version 1.0 Technical Note
01-30005-0424-20071002
7
FortiGate-ASM-FB4 accelerated
network processing
FortiGate units can offload some types of network traffic processing from main
processing resources to a FortiGate-ASM-FB4 module, which contains
specialized network processing hardware. If your network contains a significant
volume of traffic that is suitable for offloading, FortiGate-ASM-FB4 module
hardware acceleration can significantly improve your network throughput.
Hardware acceleration generally alters packet processing flow as follows:
1
Packets initiating a session pass to the FortiGate unit’s main processing
resources.
2
The FortiGate unit assesses whether the session matches fast path (offload)
requirements.
To be suitable for offloading, traffic must possess only characteristics processable
by the fast path. For a list of requirements, see
“Offloading requirements” on
page 8
.
If the traffic is categorized as fast path friendly, the FortiGate unit sends the
session key or IPSec security association (SA) and configured processing action
to the FortiGate-ASM-FB4 module.
3
The FortiGate-ASM-FB4 module continuously matches packets arriving on its
network interfaces against the session keys and SAs it has received from the
FortiGate unit.
• If a FortiGate-ASM-FB4 module’s network interface is configured to perform
hardware accelerated anomaly checks, the FortiGate-ASM-FB4 module drops
or accepts packets which match the configured anomaly patterns. These
checks are separate from anomaly checks performed by IPS, which is not
compatible with FortiGate-ASM-FB4 module offloading. For details, see
“config system interface” on page 13
.
• The FortiGate-ASM-FB4 module next checks for a matching session key or
SA. If a matching session key or SA is found, and if the packet meets packet
requirements, the FortiGate-ASM-FB4 module processes the packet
according to the configured action and then sends the resulting packet. Packet
processing is hardware accelerated.
• If a matching session key or SA is not found, or if the packet does not meet
packet requirements, the traffic cannot be offloaded. The FortiGate-ASM-FB4
module sends the data to the FortiGate unit’s main processing resources,
which process the packet. Packet processing is similar to normal network
interfaces (that is, packet processing is not hardware accelerated by the
FortiGate-ASM-FB4 module, and requires main processing resources). Packet
forwarding occurs at normal rates.