FortiGate-ASM-FB4 Version 1.0 Technical Note
8
01-30005-0424-20071002
Offloading requirements
FortiGate-ASM-FB4 accelerated network processing
Some traffic processing can still be hardware accelerated, even though it does not
meet general offloading requirements. For example, some IPSec traffic originates
from the FortiGate unit itself and does not follow the offloading requirement of
ingress from a FortiGate-ASM-FB4 module network interface, but FortiGate units
can still utilize FortiGate-ASM-FB4 module encryption capabilities. For information
on exceptions, see
“Exceptions to offloading requirements” on page 9
.
Packet forwarding rates vary by the percentage of offloadable processing and the
type of network processing required by your configuration, but are independent of
frame size. For optimal traffic types, network throughput can equal wire speed.
This section includes the following topics:
•
Offloading requirements
•
Exceptions to offloading requirements
Offloading requirements
Offloading traffic to the FortiGate-ASM-FB4 module requires that the FortiGate
unit configuration and the traffic itself is suited to hardware acceleration.
Sessions must be fast path ready. Fast path ready session characteristics are:
• Layer 2 type/length must be 0x0800 (IEEE 802.1q VLAN specification is
supported); link aggregation between FortiGate-ASM-FB4 module network
interfaces may be used (IEEE 802.3ad specification is supported)
• Layer 3 protocol must beIPv4
• Layer 4 protocol must be UDP, TCP or ICMP
• Layer 3 / Layer 4 header or content modification must not require a session
helper (for example, SNAT, DNAT, and TTL reduction are supported, but
application layer content modification is not supported)
• FortiGate unit firewall policy must not require antivirus or IPS inspection
• origin must not be local host (the FortiGate unit)
• ingress and egress network interfaces are both located on the same FortiGate-
ASM-FB4 module
If a session is not fast path ready, the FortiGate unit will not send the session key
to the FortiGate-ASM-FB4 module. Without the session key, all session key
lookup for incoming packets of that session fails, causing all session packets to be
sent to the FortiGate unit’s main processing resources, and processed at normal
speeds.
If a session is fast path ready, the FortiGate unit will send the session key to the
FortiGate-ASM-FB4 module. Session key lookup then succeeds for subsequent
packets from the known session. Packets within the session must then also meet
packet requirements.
• Incoming packets must not be fragmented.
Note:
If you disable anomaly checks by Intrusion Prevention (IPS), you can still enable
hardware accelerated anomaly checks. For details, see
“config system interface” on
page 13
.