Hardware Offloading for IPsec Encryption/Decryption on FortiGate

Questions and Answers

PDF Questions PDF Answers

Which FortiGate models support hardware offloading of IPsec encryption and decryption?

Only some FortiGate models (correct)

None of the FortiGate models

All FortiGate models

FortiGate models with a specific processor type

By default, is hardware offloading enabled for supported algorithms?

It depends on the processor type

It depends on the model

Yes (correct)

No

What command can you use to disable hardware offloading per tunnel if necessary?

get vpn ipsec stats tunnel

diagnose vpn ike gateway list

config vpn ipsec phase1-interface (correct)

diagnose vpn ike gateway clear

What information does the command 'get vpn ipsec stats tunnel' provide?

Global overall counters related to all active VPNs

What information does the command 'diagnose vpn ike gateway list' provide?

Summarized information about the VPNs

What effect does the command 'diagnose vpn ike gateway clear' have?

Clears all phase-1s of all V-Doms

What command provides detailed information for the active IPsec tunnels?

get vpn ipsec tunnel details

What is the default setting for hardware offloading on FortiGate models?

Enabled for some algorithms

What does the command 'diagnose vpn ike gateway clear' do?

Clears all VPNs

What does the command 'get vpn ipsec stats tunnel' provide?

Global overall counters related to all active VPNs

Which command displays the current IPsec SA information for all active tunnels?

diagnose vpn tunnel list

Which command provides SA information about a specific tunnel?

diagnose vpn tunnel list name {name}

What are the default UDP port numbers for IKE and IKE NAT-T, respectively?

UDP port 500 and UDP port 4500

If NAT-T is enabled and there is a FortiGate located in the middle that is running NAT, what UDP port does IKE traffic use during the tunnel negotiation?

UDP port 4500

What protocol is ESP traffic encapsulated in when NAT-T is enabled?

UDP

If the VPN is up but the traffic can't cross the tunnel, what command should you use to troubleshoot?

debug flow

What does the debug flow command show when traffic is crossing an IPsec tunnel?

Packet entering the tunnel

What does the output of the debug flow command show if the traffic is not crossing the tunnel due to a routing misconfiguration?

Routing misconfiguration

What does the debug flow command display if the traffic drops and why?

Traffic drops and the reason

What does the debug flow command show after the phase-2 negotiation?

Extended authentication