Fortigate ASIC-offloading and SNMP Traffic Counters

A strange problem…  If you have created VLAN based interface, SNMP traffic counters returns wrong. You have to disable session offloading to NP or SP processors. Tested under 1240b.. so you may disable ASIC offloading by firewall policy for test purposes. Then you will see that SNMP traffic counters will get higher.

Also you may disable fastpath,SP load balancing, network accelerators, or NP ASIC offloading globally but it is not recommended on production systems. Be sure what you are doing.

to disable NP ASIC Offloading Globally( this is a temp command it will return defaults after reboot. )

diag npu “npu version” fastpath disable “NP ID”

npu version is np4 on 1240b .. for 3810a it is np1.
npu ID can be from get hardware npu np4 list. also you will see which ports it is enabled on.

Here is an example for policy based(more realible way :) ),

Fortigate1240b # config vdom

Fortigate1240b (vdom) # edit MytestVdom
current vf=MytestVdom:7

Fortigate1240b (MytestVdom) # config firewall policy

Fortigate1240b (policy) # edit 44

Fortigate1240b (44) # sh
config firewall policy
edit 44
set srcintf “VLAN78”
set dstintf “VLAN66_OUT”
set srcaddr “all”
set dstaddr “all”
set action accept
set schedule “always”
set service “ANY”
next
end

Fortigate1240b (44) # set auto-asic-offload disable

Fortigate1240b (44) # sh
config firewall policy
edit 44
set srcintf “VLAN78”
set dstintf “VLAN66_OUT”
set srcaddr “all”
set dstaddr “all”
set action accept
set schedule “always”
set service “ANY”
set auto-asic-offload disable
next
end

Fortigate1240b (44) #

look at the difference below after disabling offloading..

traffic-chart

PS : This is fixed with FortiOS 5.x

Leave a Reply