1. Manuals
  2. Brands
  3. Fortinet Manuals
  4. Network Hardware
  5. FortiGate FortiGate-ASM-FB4
  6. Technical note

Ha Active-Active Offloading Requirements - Fortinet FortiGate FortiGate-ASM-FB4 Technical Note

Version 1.0
Hide thumbs Also See for FortiGate FortiGate-ASM-FB4:
Table of Contents

Advertisement

Exceptions to offloading requirements

HA active-active offloading requirements

10
To apply hardware accelerated encryption and decryption, the FortiGate unit must
first perform Phase 1 negotiations to establish the security association (SA). The
SA includes cryptographic processing instructions required by the FortiGate-ASM-
FB4 module, such as which encryption algorithms must be applied to the tunnel.
After ISAKMP negotiations, the FortiGate unit sends the SA to the FortiGate-
ASM-FB4 module, enabling the FortiGate-ASM-FB4 module to apply the
negotiated hardware accelerated encryption or decryption to tunnel traffic.
Possible accelerated cryptographic paths are:
IPSec decryption offload
Ingress ESP packet > Offloaded decryption > Decrypted packet egress
(fast path)
Ingress ESP packet > Offloaded decryption > Decrypted packet to
FortiGate unit
IPSec encryption offload
Ingress packet > Offloaded encryption > Encrypted (ESP) packet egress
(fast path)
Packet from FortiGate unit > Offloaded encryption > Encrypted (ESP)
packet egress
FortiGate-ASM-FB4 modules can improve network performance in active-active
(load balancing) high availability (HA) configurations, even though traffic deviates
from general offloading patterns, involving more than one FortiGate-ASM-FB4
module, each in a separate FortiGate unit. No additional offloading requirements
apply.
Once the primary FortiGate unit sends a session key to its FortiGate-ASM-FB4
module, the FortiGate-ASM-FB4 module on the primary unit can redirect any
subsequent session traffic to other cluster members, reducing traffic redirection
load on the primary unit's main processing resources.
As subordinate units receive redirected traffic, each FortiGate-ASM-FB4 module
in the cluster assesses and processes session offloading independently. Session
key states are not part of synchronization traffic between HA members.
For more information about active-active HA load balancing, see the
Overview.
FortiGate-ASM-FB4 accelerated network processing
FortiGate-ASM-FB4 Version 1.0 Technical Note
01-30005-0424-20071002
FortiGate HA

Advertisement

Table of Contents
loading

Related Manuals for Fortinet FortiGate FortiGate-ASM-FB4

Related Content for Fortinet FortiGate FortiGate-ASM-FB4

Table of Contents