NSE4 Question #67: Real Exam Question with Answer & Explanation

Question

Which is one of the conditions that must be met for offloading the encryption and decryption of IPsec traffic to an NP6 processor?

Options

• ANo protection profile can be applied over the IPsec traffic.
• BPhase-2 anti-replay must be disabled.
• CBoth the phase 1 and phases 2 must use encryption algorithms supported by the NP6.
• DIPsec traffic must not be inspected by any FortiGate session helper.

Explanation

This question asks for a critical condition enabling NP6 hardware acceleration for IPsec encryption and decryption.

Common mistakes.

• A. Protection profiles (e.g., security inspection) typically prevent full session offloading but are not directly a condition for the NP6 to offload the encryption/decryption part if the algorithms are supported.
• B. Phase-2 anti-replay protection is a standard security feature and generally does not prevent NP6 offloading of encryption/decryption, as NP6 chips often support it.
• D. While deep inspection by session helpers or security profiles prevents full session offloading, the NP6 can still offload the encryption/decryption phase even if the decrypted traffic is then sent to the CPU for inspection.

Concept tested. FortiGate NP6 IPsec hardware acceleration requirements

Reference. https://docs.fortinet.com/document/fortigate/7.4.0/hardware-acceleration/258597/np6-offloading-capabilities

No community discussion yet for this question.