FortiGate NP6 protection functions

 sw-np-bandwidth - limits XAUI speed to 2,4,5,6 to use ISF's buffer

- Can prevent IHP/EHP drops

- But may cause drops on ISF (“sw_np_out_drop_pkts”)

gtse-quota - traffic shaper from CPU to NP6 

- Only on platforms with 1 Gbps ports connected directly to NP6, without ISF

HPE – Host Protection Engine

        -Limits the number of packets per second from NP6 to kernel

NP6 not offloading cases

- TCP control flags (SYN, SYN/ACK, FIN, FIN/ACK, RST)

- One icmp/udp request and one response

- FGT wants to generate ICMP message

- An incoming packet should be fragmented  (egress packet can be fragmented by NP)

- Interface flaps

- Policy changes

- Route changes 

- UTM proxy features 

- sflow 

        -Session helper control channel

        - Manually disabled by policy

npu_state_err flags

  

While investigating NPU-relevant issues, the following npu_state_err flags in the session table entry could help you identify the cause of the problem. 

bit 0: npu shaper deny, can't install npu shaper

bit 1: npu accounting deny, can't install npu accounting

bit 2: npu protocol check deny, there is something wrong on protocol state check, can't pass it to npu for processing

bit 3: npu invalid protocol, npu can't handle this protocol

bit 4: npu ipsec tunnel deny,

bit 5: npu header deny, can't set npu header

bit 6: npu macvlan bridge deny and rst_tcp meanings tcp timeout reset