Fortinet fortigate-asm-fb4 Nota De Lançamento

To apply hardware accelerated encryption and decryption, the FortiGate unit must 
first perform Phase 1 negotiations to establish the security association (SA). The 
SA includes cryptographic processing instructions required by the FortiGate-ASM-
FB4 module, such as which encryption algorithms must be applied to the tunnel. 
After ISAKMP negotiations, the FortiGate unit sends the SA to the FortiGate-
ASM-FB4 module, enabling the FortiGate-ASM-FB4 module to apply the 
negotiated hardware accelerated encryption or decryption to tunnel traffic.

Possible accelerated cryptographic paths are:

• IPSec decryption offload

• Ingress ESP packet > Offloaded decryption > Decrypted packet egress 

(fast path)

• Ingress ESP packet > Offloaded decryption > Decrypted packet to 

FortiGate unit

• IPSec encryption offload

• Ingress packet > Offloaded encryption > Encrypted (ESP) packet egress 

(fast path)

• Packet from FortiGate unit > Offloaded encryption > Encrypted (ESP) 

packet egress

FortiGate-ASM-FB4 modules can improve network performance in active-active 
(load balancing) high availability (HA) configurations, even though traffic deviates 
from general offloading patterns, involving more than one FortiGate-ASM-FB4 
module, each in a separate FortiGate unit. No additional offloading requirements 
apply.

Once the primary FortiGate unit sends a session key to its FortiGate-ASM-FB4 
module, the FortiGate-ASM-FB4 module on the primary unit can redirect any 
subsequent session traffic to other cluster members, reducing traffic redirection 
load on the primary unit’s main processing resources.

As subordinate units receive redirected traffic, each FortiGate-ASM-FB4 module 
in the cluster assesses and processes session offloading independently. Session 
key states are not part of synchronization traffic between HA members.

For more information about active-active HA load balancing, see the