Fortinet fortigate-asm-fb4 Nota De Lançamento

Hardware accelerated IPSec processing, involving either partial or full offloading, 
can be achieved in either tunnel or interface mode IPSec configurations.

To achieve offloading for both encryption and decryption:

• In Phase 1 configuration’s Advanced section, Local Gateway IP must be 

specified as an IP address of the FortiGate-ASM-FB4 module’s SFP network 
interfaces. (In other words, if Phase 1’s Local Gateway IP is Main Interface IP, 
or is specified as an IP address that is not associated with the FortiGate-ASM-
FB4 module’s network interfaces, IPSec network processing is not offloaded.)

• In Phase 2 configuration’s P2 Proposal section, if the checkbox “Enable replay 

detection” is enabled, enc-offload-antireplay and dec-offload-
antireplay must be set to enable in the CLI.

• offload-ipsec-host must be set to enable in the CLI.
This section contains example IPSec configurations whose IPSec encryption and 
decryption processing is hardware accelerated by FortiGate-ASM-FB4 modules. 

 illustrates the example network topology. 

 lists the example 

network interfaces and IP addresses.

This section includes the following topics:

•

Note: Hardware accelerated IPSec does not require both tunnel endpoints to have 
FortiGate-ASM-FB4 modules. However, if hardware is not symmetrical, the packet 
forwarding rate is limited by the slower side.

Network interface

IP

Network interface

IP

IPSec tunnel FortiGate-ASM-FB4 

port 2

3.3.3.1/24 FortiGate-ASM-FB4 

port 2

3.3.3.2/24

FortiGate-ASM-FB4 

port 1

1.1.1.0/24 FortiGate-ASM-FB4 

port 1

2.2.2.0/24

Internet

Protected

network

Protected

network

FortiGate_1

FortiGate-ASM-FB4

port 1

1.1.1.0/24

FortiGate_2

FortiGate-ASM-FB4

port 1

2.2.2.0/24

FortiGate-ASM-FB4

port 2

(IPSec)

3.3.3.1/24

FortiGate-ASM-FB4

port 2

(IPSec)

3.3.3.2/24