Fortinet fortigate-asm-fb4 Nota De Lançamento
FortiGate-ASM-FB4 Version 1.0 Technical Note
10
01-30005-0424-20071002
Exceptions to offloading requirements
FortiGate-ASM-FB4 accelerated network processing
To apply hardware accelerated encryption and decryption, the FortiGate unit must
first perform Phase 1 negotiations to establish the security association (SA). The
SA includes cryptographic processing instructions required by the FortiGate-ASM-
FB4 module, such as which encryption algorithms must be applied to the tunnel.
After ISAKMP negotiations, the FortiGate unit sends the SA to the FortiGate-
ASM-FB4 module, enabling the FortiGate-ASM-FB4 module to apply the
negotiated hardware accelerated encryption or decryption to tunnel traffic.
first perform Phase 1 negotiations to establish the security association (SA). The
SA includes cryptographic processing instructions required by the FortiGate-ASM-
FB4 module, such as which encryption algorithms must be applied to the tunnel.
After ISAKMP negotiations, the FortiGate unit sends the SA to the FortiGate-
ASM-FB4 module, enabling the FortiGate-ASM-FB4 module to apply the
negotiated hardware accelerated encryption or decryption to tunnel traffic.
Possible accelerated cryptographic paths are:
• IPSec decryption offload
• Ingress ESP packet > Offloaded decryption > Decrypted packet egress
(fast path)
• Ingress ESP packet > Offloaded decryption > Decrypted packet to
FortiGate unit
• IPSec encryption offload
• Ingress packet > Offloaded encryption > Encrypted (ESP) packet egress
(fast path)
• Packet from FortiGate unit > Offloaded encryption > Encrypted (ESP)
packet egress
HA active-active offloading requirements
FortiGate-ASM-FB4 modules can improve network performance in active-active
(load balancing) high availability (HA) configurations, even though traffic deviates
from general offloading patterns, involving more than one FortiGate-ASM-FB4
module, each in a separate FortiGate unit. No additional offloading requirements
apply.
(load balancing) high availability (HA) configurations, even though traffic deviates
from general offloading patterns, involving more than one FortiGate-ASM-FB4
module, each in a separate FortiGate unit. No additional offloading requirements
apply.
Once the primary FortiGate unit sends a session key to its FortiGate-ASM-FB4
module, the FortiGate-ASM-FB4 module on the primary unit can redirect any
subsequent session traffic to other cluster members, reducing traffic redirection
load on the primary unit’s main processing resources.
module, the FortiGate-ASM-FB4 module on the primary unit can redirect any
subsequent session traffic to other cluster members, reducing traffic redirection
load on the primary unit’s main processing resources.
As subordinate units receive redirected traffic, each FortiGate-ASM-FB4 module
in the cluster assesses and processes session offloading independently. Session
key states are not part of synchronization traffic between HA members.
in the cluster assesses and processes session offloading independently. Session
key states are not part of synchronization traffic between HA members.
For more information about active-active HA load balancing, see the