Fortinet fortigate-asm-fb4 Nota De Lançamento
FortiGate-ASM-FB4 accelerated network processing
Exceptions to offloading requirements
FortiGate-ASM-FB4 Version 1.0 Technical Note
01-30005-0424-20071002
01-30005-0424-20071002
9
• Outgoing packets must not require fragmentation to a size less than 385 bytes.
Because of this requirement, the configured MTU for the FortiGate-ASM-FB4
module’s network interfaces must also meet or exceed the FortiGate-ASM-
FB4-supported minimum MTU of 385 bytes.
module’s network interfaces must also meet or exceed the FortiGate-ASM-
FB4-supported minimum MTU of 385 bytes.
If packet requirements are not met, an individual packet will use FortiGate unit
main processing resources, regardless of whether other packets in the session
are offloaded to the FortiGate-ASM-FB4 module.
main processing resources, regardless of whether other packets in the session
are offloaded to the FortiGate-ASM-FB4 module.
In some cases, due to these requirements, a protocol’s session(s) may receive a
mixture of offloaded and non-offloaded processing.
mixture of offloaded and non-offloaded processing.
For example, FTP uses two connections: a control connection and a data
connection. The control connection requires a session helper, and cannot be
offloaded, but the data connection does not require a session helper, and can be
offloaded. Within the offloadable data session, fragmented packets will not be
offloaded, but other packets will be offloaded.
connection. The control connection requires a session helper, and cannot be
offloaded, but the data connection does not require a session helper, and can be
offloaded. Within the offloadable data session, fragmented packets will not be
offloaded, but other packets will be offloaded.
Exceptions to offloading requirements
Some traffic types differ from general offloading requirements, but still utilize
FortiGate-ASM-FB4 modules’ encryption and other capabilities. Exceptions
include IPSec traffic and active-active high availability (HA) load balanced traffic.
FortiGate-ASM-FB4 modules’ encryption and other capabilities. Exceptions
include IPSec traffic and active-active high availability (HA) load balanced traffic.
IPSec offloading requirements
FortiGate-ASM-FB4 modules contain features to improve IPSec tunnel
performance. For example, FortiGate-ASM-FB4 modules can encrypt and decrypt
packets, reducing cryptographic load on the FortiGate unit’s main processing
resources.
performance. For example, FortiGate-ASM-FB4 modules can encrypt and decrypt
packets, reducing cryptographic load on the FortiGate unit’s main processing
resources.
Requirements for hardware accelerated IPSec encryption or decryption are a
modification of general offloading requirements. Differing characteristics are:
modification of general offloading requirements. Differing characteristics are:
• origin can be local host (the FortiGate unit)
• in Phase 1 configuration, Local Gateway IP must be specified as an IP
• in Phase 1 configuration, Local Gateway IP must be specified as an IP
address of a network interface on the FortiGate-ASM-FB4 module
• SA must have been received by the FortiGate-ASM-FB4 module
• in Phase 2 configuration:
• in Phase 2 configuration:
• encryption algorithm must be DES, 3DES, AES-128, AES-192, AES-256,
or null
• authentication must be MD5, SHA1, or null
• if encryption is null, authentication must not also be null
• if replay detection is enabled, enc-offload-antireplay must also be
• if encryption is null, authentication must not also be null
• if replay detection is enabled, enc-offload-antireplay must also be
enable in the CLI
Note: If replay detection is enabled in the Phase 2 configuration, you can enable or disable
IPSec encryption and decryption offloading from the CLI. Performance varies by those CLI
options and the percentage of packets requiring encryption or decryption. For details, see
IPSec encryption and decryption offloading from the CLI. Performance varies by those CLI
options and the percentage of packets requiring encryption or decryption. For details, see
.