Table of Contents
Advertisement
FortiGate-ASM-FB4 accelerated network processing
Exceptions to offloading requirements
IPSec offloading requirements
FortiGate-ASM-FB4 Version 1.0 Technical Note
01-30005-0424-20071002
•
Outgoing packets must not require fragmentation to a size less than 385 bytes.
Because of this requirement, the configured MTU for the FortiGate-ASM-FB4
module's network interfaces must also meet or exceed the FortiGate-ASM-
FB4-supported minimum MTU of 385 bytes.
If packet requirements are not met, an individual packet will use FortiGate unit
main processing resources, regardless of whether other packets in the session
are offloaded to the FortiGate-ASM-FB4 module.
In some cases, due to these requirements, a protocol's session(s) may receive a
mixture of offloaded and non-offloaded processing.
For example, FTP uses two connections: a control connection and a data
connection. The control connection requires a session helper, and cannot be
offloaded, but the data connection does not require a session helper, and can be
offloaded. Within the offloadable data session, fragmented packets will not be
offloaded, but other packets will be offloaded.
Some traffic types differ from general offloading requirements, but still utilize
FortiGate-ASM-FB4 modules' encryption and other capabilities. Exceptions
include IPSec traffic and active-active high availability (HA) load balanced traffic.
FortiGate-ASM-FB4 modules contain features to improve IPSec tunnel
performance. For example, FortiGate-ASM-FB4 modules can encrypt and decrypt
packets, reducing cryptographic load on the FortiGate unit's main processing
resources.
Requirements for hardware accelerated IPSec encryption or decryption are a
modification of general offloading requirements. Differing characteristics are:
•
origin can be local host (the FortiGate unit)
•
in Phase 1 configuration, Local Gateway IP must be specified as an IP
address of a network interface on the FortiGate-ASM-FB4 module
•
SA must have been received by the FortiGate-ASM-FB4 module
•
in Phase 2 configuration:
•
encryption algorithm must be DES, 3DES, AES-128, AES-192, AES-256,
or null
•
authentication must be MD5, SHA1, or null
•
if encryption is null, authentication must not also be null
•
if replay detection is enabled, enc-offload-antireplay must also be
enable in the CLI
Note: If replay detection is enabled in the Phase 2 configuration, you can enable or disable
IPSec encryption and decryption offloading from the CLI. Performance varies by those CLI
options and the percentage of packets requiring encryption or decryption. For details, see
"config system npu" on page
15.
Exceptions to offloading requirements
9
Advertisement
Table of Contents
